caddy-l4 icon indicating copy to clipboard operation
caddy-l4 copied to clipboard
verified publisher icon mholt

docs: `layer4.handlers.tls` / `tls.connection_policy.alpn` - Better communicate supported ALPN values

Open polarathene opened this issue 8 months ago • 2 comments

This might be a simple request to just have the related docs for the setting link to this IANA page for text values in "Identification Sequence" (unless additional support is required by Caddy L4, then clearly documenting the subset implemented).

Additionally, users may benefit from the README linking to the generated module docs page for better visibility of these nested config options such as layer4.handlers.tls offers. Ideally that link could filter to just the layer4 modules. It was not obvious to me initially where to find documentation about the tls.connection_policy setting 😅

This issue / request was spurred from my recent experience with the setting: https://github.com/mholt/caddy-l4/issues/276#issuecomment-2817496494

  • tls.connection_policy.alpn isn't really touched on with the current README docs. There are some brief mentions of alpn and connection_policy but information is limited there.
  • The generated layer4.handlers.tls docs page is likewise not too helpful for knowing what values are supported by Caddy for the alpn setting.

I've seen it used a few times in examples in issues/PRs for the repo though. My experience with it was with the referenced issue for handling DNS-over-TLS client connections, where kdig would fail without this being set to dot (works fine by default with nginx).

Is there a reference for where that support is defined? Or is it all ALPN identifiers? (my knowledge on the topic is rather limited)

I am aware of the relevant official IANA assignments page as a reference. The "Identification Sequence" column seems to provide the friendly text names that can be used as values like dot for DoT (DNS-over-TLS). Perhaps the related generated docs item should include a link that references that column for values?

polarathene avatar Apr 22 '25 01:04 polarathene

Neither Caddy nor this module "enforce" any particular values, so you could put anything in there. ALPN is just the server advertising what protocols can be used, and the client requesting certain protocols. With l4 you could I guess kind of implement your own if you wanted to.

mholt avatar Apr 22 '25 17:04 mholt

Oh ok, is that more about what the service being proxied would support? There's no actual implementation in Caddy / L4 related to dot?

So the kdig client is requesting/checking the ALPN support for dot, while other clients like doggo may just assume and not fail when it's not advertised?

Another example I've seen is with postgresql for the ALPN protocol supported. I'm not too familiar with what's going on there, but assume Caddy L4 is terminating the TLS connection before it would have anything to do with the proxied service like PostgreSQL 🤔

Is there a default that L4 is using? Or do you always need to set this explicitly? I assume nginx is being more permissive by default, but likewise I could not find much information on where it configures such (if it does) or what the defaults for that are (I think they're from OpenSSL, and that might be similar with Caddy but provided by defaults from a Go lib instead? I recall an old Go release changelog related to ALPN changes).

polarathene avatar Apr 22 '25 22:04 polarathene