diff --git a/site-src/concepts/api-overview.md b/site-src/concepts/api-overview.md index 20db51b0ab..494ea622f3 100644 --- a/site-src/concepts/api-overview.md +++ b/site-src/concepts/api-overview.md @@ -117,8 +117,13 @@ modifying them in-flight. TLSRoute is for multiplexing TLS connections, discriminated via SNI. It's intended for where you want to use the SNI as the main routing method, and are not interested -in properties of the higher-level protocols like HTTP. The byte stream of the -connection is proxied without any inspection to the backend. +in properties of the higher-level protocols like HTTP. When using a `Passthrough` +TLS listener, the encrypted byte stream of the connection is proxied directly to +the backend destination (which is then responsible for decrypting the stream) +without any introspection beyond the TLS metadata. When using a `Terminate` +TLS listener, encryption is terminated at the gateway to "unwrap" the connection, +allowing traffic inspection and routing based on attributes of the inner request +payload. #### TCPRoute and UDPRoute @@ -157,7 +162,7 @@ to allow multiple Routes to share ports on the Listener. |------|---------|---------------------|-----------|-------| |HTTPRoute| Layer 7 | Anything in the HTTP Protocol | Terminated only | HTTP and HTTPS Routing| |TLSRoute| Somewhere between layer 4 and 7| SNI or other TLS properties| Passthrough or Terminated | Routing of TLS protocols including HTTPS where inspection of the HTTP stream is not required.| -|TCPRoute| Layer 4| destination port | Passthrough or Terminated | Allows for forwarding of a TCP stream from the Listener to the Backends | +|TCPRoute| Layer 4| destination port | Terminated | Allows for forwarding of a TCP stream from the Listener to the Backends | |UDPRoute| Layer 4| destination port | None | Allows for forwarding of a UDP stream from the Listener to the Backends. | |GRPCRoute| Layer 7 | Anything in the gRPC Protocol | Terminated only | gRPC Routing over HTTP/2 and HTTP/2 cleartext| diff --git a/site-src/guides/tls.md b/site-src/guides/tls.md index 4d703dce9d..b225fe02ff 100644 --- a/site-src/guides/tls.md +++ b/site-src/guides/tls.md @@ -12,7 +12,7 @@ implementation(s) you're using with Gateway API. !!! info "Experimental Channel" - The `TLSRoute` and `BackendTLSPolicy` resources described below are currently only included in the + The `TLSRoute` resource described below is currently only included in the "Experimental" channel of Gateway API. For more information on release channels, refer to our [versioning guide](../concepts/versioning.md). @@ -26,14 +26,15 @@ For Gateways, there are two connections involved: - **upstream**: This is the connection between the Gateway and backend resources specified by routes. These backend resources will usually be Services. -With Gateway API, TLS configuration of downstream and -upstream connections is managed independently. +With Gateway API, TLS configuration of downstream and upstream connections is +managed independently. For downstream connections, depending on the Listener Protocol, different TLS modes and Route types are supported. | Listener Protocol | TLS Mode | Route Type Supported | |-------------------|-------------|---------------------| | TLS | Passthrough | TLSRoute | +| TLS | Terminate | TLSRoute (extended) | | TLS | Terminate | TCPRoute | | HTTPS | Terminate | HTTPRoute | | GRPC | Terminate | GRPCRoute | @@ -47,6 +48,9 @@ upstream TLS configuration. For `HTTPRoute`, the use of both `Terminate` TLS mod Using these together provides what is commonly known as a connection that is terminated and then re-encrypted at the Gateway. +For `TLSRoute`, the use of `Terminate` means that the TLS termination happens on +the `Gateway` and the connection to the backend resumes as an unencrypted connection. + ## Downstream TLS Downstream TLS settings are configured using listeners at the Gateway level.