HTTP Tunnels

HTTP tunnels are the primary mechanism for exposing web services through rstream. The engine accepts an incoming HTTP connection on the tunnel endpoint and forwards the request to an upstream HTTP server inside the private environment.

HTTP tunnels are also the most feature-complete tunnel type: they support request routing, connection reuse, connection upgrades, and edge authentication mechanisms that are not available for non-HTTP protocols.

Downstream and upstream

Downstream refers to the public side of the tunnel: the client connection coming from the Internet toward the edge network. Upstream refers to the private side: the request sent from the engine toward the service running inside the environment.

The downstream side supports modern HTTP clients. The upstream side is configurable per tunnel and is intended to match the capabilities and expectations of the upstream service.

HTTP versions

The engine accepts the following HTTP version settings for the upstream connection: http/1.1, h2c, and h3. When no upstream version is specified and upstream TLS is disabled, the engine defaults the upstream version to http/1.1.

For h2c, the upstream connection uses cleartext HTTP/2. For h3, the tunnel uses HTTP/3 and is modeled as a datagram tunnel in rstream.

When upstream TLS is enabled, the engine establishes a TLS connection to the upstream service and then uses an HTTP transport over that connection. HTTP/1.1 and HTTP/2 are negotiated by the upstream HTTP client stack. HTTP/3 uses h3 and requires upstream TLS.

Connection upgrades

HTTP tunnels support connection upgrades. The engine relays the upgrade handshake to the upstream service and forwards the resulting connection end-to-end.

WebSocket is supported across all three upstream HTTP versions. On H1 and H2C upstreams the engine relays the standard upgrade handshake unchanged and the bidirectional byte stream to the upstream service. On H3 upstream the engine uses Extended CONNECT over QUIC, which requires an HTTP/3-aware upstream server.

WebTransport is available over HTTP/3 tunnels. The engine relays WebTransport sessions, including bidirectional streams, unidirectional streams, and datagrams, through the tunnel to the upstream HTTP/3 service. All HTTP-level authentication features apply to WebTransport connections. See Connection Upgrades for setup details, Go SDK examples, and a comparison with raw QUIC tunnels.

Related pages

Authentication describes token-based authentication and rstream auth for HTTP tunnels. Challenge Mode describes the optional challenge gate. Advanced Options covers upstream TLS and version configuration. Connection Upgrades covers WebSocket and WebTransport.