Feature Request: TLS Termination on Unix Socket Listeners #89
Description
Currently, river can terminate TLS on a TCP socket, or listen on a Unix socket without TLS. It does not appear to support terminating TLS on a Unix socket listener. This prevents a common architecture where a frontend proxy forwards raw TLS traffic to a backend service over a Unix socket for decryption.
I would like river to support TLS termination directly on a Unix socket listener. This would allow for more flexible and performant proxy setups.
Ideal Configuration Example:
services {
my-service {
listeners {
// Allow cert-path and key-path on a unix socket
"unix:/path/to/river.sock" cert-path="/path/to/fullchain.pem" key-path="/path/to/privkey.pem"
}
}
}Comparison with Nginx:
This is standard practice in other reverse proxies like Nginx:
# Nginx can listen on a socket and handle TLS
listen unix:/dev/shm/nginx.sock ssl;
ssl_certificate "/path/to/fullchain.pem";
ssl_certificate_key "/path/to/privkey.pem";This feature would greatly improve river's interoperability in complex environments.