document turning on showSSLExceptions (#1950)

rrayst · web-flow · commit 4abf59a8d445 · 2025-07-03T10:59:01.000+02:00
* document turning on showSSLExceptions

* document turning on showSSLExceptions
diff --git a/distribution/examples/security/ssl-tls/README.md b/distribution/examples/security/ssl-tls/README.md
@@ -4,4 +4,12 @@
 |--------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
 | [to-backend](to-backend)                   | How to secure communication from the API Gateway to a backend server.                                                         |
 | [api-with-tls-pkcs12](api-with-tls-pkcs12) | How to protect APIs deployed on the Gateway with TLS certificates (using a keystore in the PKCS12 format)"                    |
-| [api-with-tls-pem](api-with-tls-pem)       | How to protect APIs deployed on the Gateway with TLS certificates (using PEM formatted files for the key and the certificate) |
+| [api-with-tls-pem](api-with-tls-pem)       | How to protect APIs deployed on the Gateway with TLS certificates (using PEM formatted files for the key and the certificate) |
+
+# SSL/TLS Errors
+Depending on your use case for Membrane API Gateway, you may or may not want to set `<ssl showSSLExceptions="false">` (default) or `<ssl showSSLExceptions="true">`.
+
+In case you are setting up your keys and certificates for the first time, or you are searching for TLS misconfigurations,
+we advise `<ssl showSSLExceptions="true">`. This is why all examples in this folder have this setting.
+
+But when Membrane API Gateway is directly exposed to the internet on port 443, you most probably want to turn it off because too much "SPAM" is arriving.
diff --git a/distribution/examples/security/ssl-tls/api-with-tls-pem/proxies.xml b/distribution/examples/security/ssl-tls/api-with-tls-pem/proxies.xml
@@ -7,7 +7,7 @@
 	<router>
 
 		<api port="443">
-			<ssl>
+			<ssl showSSLExceptions="true">
 				<!-- Please replace key and certificate for production! -->
 				<key>
 					<private location="membrane-key.pem" />
diff --git a/distribution/examples/security/ssl-tls/api-with-tls-pkcs12/proxies.xml b/distribution/examples/security/ssl-tls/api-with-tls-pkcs12/proxies.xml
@@ -7,7 +7,7 @@
 	<router>
 
 		<serviceProxy port="443">
-			<ssl>
+			<ssl showSSLExceptions="true">
 				<!-- Please replace keystore for production! -->
 				<keystore location="../../../../conf/membrane.p12" password="secret" keyPassword="secret" />
 				<truststore location="../../../../conf/membrane.p12" password="secret" />
diff --git a/distribution/examples/security/ssl-tls/to-backend/proxies.xml b/distribution/examples/security/ssl-tls/to-backend/proxies.xml
@@ -8,7 +8,7 @@
 
 		<api port="2000">
 			<target host="api.predic8.de" port="443">
-				<ssl/>
+				<ssl showSSLExceptions="true" />
 			</target>
 		</api>
 		
