Advanced Options

Advanced HTTP tunnel options and related TLS settings.

Written by uartnet

@uartnet

Most HTTP tunnels work well with the defaults: the engine exposes an HTTP endpoint and forwards upstream requests to a local HTTP server over http/1.1. Advanced options become relevant when the upstream service requires a specific HTTP version, when upstream TLS is required, or when edge authentication is combined with service-specific behavior.

Upstream HTTP version

The upstream HTTP version can be set to http/1.1, h2c, or h3. When no upstream version is configured and upstream TLS is disabled, the engine defaults to http/1.1.

In the CLI, the upstream version is configured with --http-version.

Upstream TLS

Upstream TLS enables TLS between the engine and the upstream service. This is configured with --http-use-tls.

When upstream TLS is enabled, the engine rejects an explicit upstream version setting in the current implementation.

Edge authentication and challenge

HTTP tunnels expose --token-auth, --rstream-auth, and --challenge-mode. These options are described in the Authentication and Challenge Mode pages.

The CLI also exposes TLS options such as --tls-min-version, --tls-ciphers, and mTLS settings. Those options apply to non-HTTP tunnel protocols and are documented in Tunnel Protocols.

Challenge Mode Tunnel Protocols

Upstream HTTP version

Upstream TLS

Edge authentication and challenge

Related TLS options