TLS & Let’s Encrypt Configuration
Goma Gateway supports TLS encryption for securing traffic between clients and the gateway. You can configure TLS certificates manually or automatically using Let’s Encrypt (ACME).
Manual TLS Configuration
Define global TLS certificates for your routes by specifying certificate and private key pairs.
Configuration Keys
Key | Type | Description |
---|---|---|
cert | string | TLS certificate, provided as:<ul><li>File path (e.g., /path/to/cert.crt )</li><li>Raw PEM content</li><li>Base64-encoded string</li></ul> |
key | string | Private key, provided as:<ul><li>File path (e.g., /path/to/key.pem )</li><li>Raw PEM content</li><li>Base64-encoded string</li></ul> |
Example
version: 2
gateway:
tls:
keys:
# File paths
- cert: /path/to/certificate.crt
key: /path/to/private.key
# Base64-encoded
- cert: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS...
key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS...
# Raw PEM content
- cert: |
-----BEGIN CERTIFICATE-----
<certificate content>
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
<private-key content>
-----END PRIVATE KEY-----
routes:
- path: /
name: secure-route
hosts: ["example.com"]
backends:
- endpoint: https://backend.example.com
Automatic Certificates with Let’s Encrypt (ACME)
Goma Gateway supports ACME providers like Let’s Encrypt for automatic certificate issuance and renewal.
Volume: Certificates and related data are stored in the container under /etc/letsencrypt.
Basic Configuration
To enable automatic certificate management, define at least the email for your ACME account and ensure the gateway is listening on ports 80 (for HTTP-01 challenges) and 443 (for HTTPS).
version: 2
gateway:
entryPoints:
web:
address: ":80" # Required for HTTP-01 challenge
webSecure:
address: ":443" # HTTPS endpoint
routes: [] # Define routes as needed
certManager:
acme:
email: "admin@example.com" # Email used for ACME registration and expiry notices
Advanced Configuration
The CertificateManager
block supports further customization:
Key | Description |
---|---|
directoryURL | Custom ACME directory, for example:https://acme-staging-v02.api.letsencrypt.org/directory |
storageFile | File to store ACME certificates (default: acme.json ) |
challenge | Challenge type (http-01 or dns-01 ) and DNS provider (e.g., cloudflare, acme) |
credentials | Provider-specific credentials (e.g., API tokens) |
Example (DNS-01 Challenge with Cloudflare)
certManager:
provider: acme
acme:
email: "admin@example.com"
directoryUrl: "https://acme-staging-v02.api.letsencrypt.org/directory"
storageFile: "acme.json"
challengeType: dns-01
dnsProvider: cloudflare
credentials:
apiToken: xxx-xxx-xxx