Securing the Gateway

Edit online

The faspio Gateway uses Transport Layer Security (TLS) to secure your TCP connections and initiate key exchange for the FASP protocol.

Important: TLS is enabled by default on all your bridges. You must provide valid certificates to your Gateways before they can connect.

Configuring TLS

When two Gateways connect to each other, they use Mutual TLS (mTLS) authentication to ensure traffic is secure and trusted in both directions. mTLS requires a certificate chain, a certificate key, and a verification key on both servers. Here is a sample configuration of two servers configured with mTLS:

GW1 Configuration (Client) GW2 Configuration (Server) 
     [[bridge]]
        [bridge.local]
           protocol = "tcp"
               host = "127.0.0.1"
               port = "2000-2001"
        tls_enabled = true
         cert_chain = "tls/gw1_cert_chain.pem"
           cert_key = "tls/gw1_cert_key.pem"
             verify = "tls/verify.pem"

         [bridge.forward]
           protocol = "fasp"
               host = "Gateway2"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw1_cert_chain.pem"
           cert_key = "tls/gw1_cert_key.pem"
             verify = "tls/verify.pem"
host_verify_enabled = true
 
     [[bridge]]
        [bridge.local]
           protocol = "fasp"
               host = "127.0.0.1"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw2_cert_chain.pem"
           cert_key = "tls/gw2_cert_key.pem"
             verify = "tls/verify.pem"

         [bridge.forward]
            protocol = "tcp"
                host = "127.0.0.1"
                port = "4000-4001"
        tls_enabled = true
         cert_chain = "tls/gw2_cert_chain.pem"
           cert_key = "tls/gw2_cert_key.pem"
             verify = "tls/verify.pem"
cert_chain
The relative path to the certificate chain signed by a valid CA.
cert_key
The relative path to the private key matching the cert chain.
verify
The relative path to the verification key that verifies the other server's chain is signed by the correct CA.
host_verify_enabled
Optionally enforce additional security by requiring that the host field defined in the client's bridge.forward section matches the Common Name in the server's SSL certificate.

Disabling TLS

To disable TLS, add tls_enabled = false to the section for which connection you want to disable TLS. For example, if your faspio Gateway servers and HSTS servers run in the same private and secure network, you may consider disabling TLS for those sections only:

GW1 Configuration (Client) GW2 Configuration (Server) 
     [[bridge]]
        [bridge.local]
           protocol = "tcp"
               host = "127.0.0.1"
               port = "2000-2001"       
         tls_enabled = false

         [bridge.forward]
           protocol = "fasp"
               host = "Gateway2"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw1_cert_chain.pem"
           cert_key = "tls/gw1_cert_key.pem"
             verify = "tls/verify.pem"
host_verify_enabled = true
 
     [[bridge]]
        [bridge.local]
           protocol = "fasp"
               host = "127.0.0.1"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw2_cert_chain.pem"
           cert_key = "tls/gw2_cert_key.pem"
             verify = "tls/verify.pem"

         [bridge.forward]
            protocol = "tcp"
                host = "127.0.0.1"
                port = "4000-4001"
         tls_enabled = false