river icon indicating copy to clipboard operation
river copied to clipboard
verified publisher icon memorysafety

Feature Request: TLS Termination on Unix Socket Listeners

Open vffuunnyy opened this issue 6 months ago • 0 comments

Currently, river can terminate TLS on a TCP socket, or listen on a Unix socket without TLS. It does not appear to support terminating TLS on a Unix socket listener. This prevents a common architecture where a frontend proxy forwards raw TLS traffic to a backend service over a Unix socket for decryption.

I would like river to support TLS termination directly on a Unix socket listener. This would allow for more flexible and performant proxy setups.

Ideal Configuration Example:

services {
    my-service {
        listeners {
            // Allow cert-path and key-path on a unix socket
            "unix:/path/to/river.sock" cert-path="/path/to/fullchain.pem" key-path="/path/to/privkey.pem"
        }
    }
}

Comparison with Nginx:

This is standard practice in other reverse proxies like Nginx:

# Nginx can listen on a socket and handle TLS
listen unix:/dev/shm/nginx.sock ssl;
ssl_certificate "/path/to/fullchain.pem";
ssl_certificate_key "/path/to/privkey.pem";

This feature would greatly improve river's interoperability in complex environments.

vffuunnyy avatar Aug 01 '25 21:08 vffuunnyy