HTTP Tunnels

HTTP tunnels are the primary mechanism for exposing web services through rstream. The engine accepts an incoming HTTP connection on the tunnel endpoint and forwards the request to an upstream HTTP server inside the private environment.

HTTP tunnels are also the most feature-complete tunnel type: they support request routing, connection reuse, connection upgrades, and edge authentication mechanisms that are not available for non-HTTP protocols.

Downstream and upstream

Downstream refers to the public side of the tunnel: the client connection coming from the Internet toward the edge network. Upstream refers to the private side: the request sent from the engine toward the service running inside the environment.

The downstream side supports modern HTTP clients. The upstream side is configurable per tunnel and is intended to match the capabilities and expectations of the upstream service.

HTTP versions

The engine accepts the following HTTP version settings for the upstream connection: http/1.1, h2c, and h3. When no upstream version is specified and upstream TLS is disabled, the engine defaults the upstream version to http/1.1.

For h2c, the upstream connection uses cleartext HTTP/2. For h3, the tunnel uses HTTP/3 and is modeled as a datagram tunnel in rstream.

When upstream TLS is enabled, the engine establishes a TLS connection to the upstream service and then uses an HTTP transport over that connection.

Connection upgrades

HTTP tunnels can be used for protocols that upgrade from HTTP, such as WebSocket.

Related pages

Authentication describes token-based authentication and rstream auth for HTTP tunnels. Challenge Mode describes the optional challenge gate. Advanced Options covers TLS settings, mTLS, and version configuration.