Securing the Gateway
The faspio Gateway uses Transport Layer Security (TLS) to secure your TCP connections and initiate key exchange for the FASP protocol.
Important: TLS is enabled by default on all your bridges. You must provide valid
certificates to your Gateways before they can connect.
Configuring TLS
When two Gateways connect to each other, they use Mutual TLS (mTLS) authentication to ensure traffic is secure and trusted in both directions. mTLS requires a certificate chain, a certificate key, and a verification key on both servers. Here is a sample configuration of two servers configured with mTLS:
GW1 Configuration (Client) | GW2 Configuration (Server) |
---|---|
|
|
- cert_chain
- The relative path to the certificate chain signed by a valid CA.
- cert_key
- The relative path to the private key matching the cert chain.
- verify
- The relative path to the verification key that verifies the other server's chain is signed by the correct CA.
- host_verify_enabled
- Optionally enforce additional security by requiring that the host field defined in the client's bridge.forward section matches the Common Name in the server's SSL certificate.
Disabling TLS
To disable TLS, add tls_enabled = false to the section for which connection you want to disable TLS. For example, if your faspio Gateway servers and HSTS servers run in the same private and secure network, you may consider disabling TLS for those sections only:
GW1 Configuration (Client) | GW2 Configuration (Server) |
---|---|
|
|