TLS
Meridian terminates TLS on downstream connections using rustls, a pure-Rust TLS implementation. Upstream connections to backends remain plain HTTP.
Configuration
Add a tls section to any listener:
[[listeners]]
name = "https"
address = "0.0.0.0:8443"
filter_chain = []
[listeners.tls]
cert_path = "/etc/meridian/server.crt"
key_path = "/etc/meridian/server.key"
Fields
| Field | Type | Required | Description |
|---|---|---|---|
cert_path | string | yes | Path to PEM-encoded certificate chain |
key_path | string | yes | Path to PEM-encoded private key |
Certificate Format
Certificates and keys must be PEM-encoded. The certificate file should contain the full chain (leaf certificate first, then intermediates):
-----BEGIN CERTIFICATE-----
(leaf certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate CA)
-----END CERTIFICATE-----
Protocol Support
- TLS 1.2 and 1.3 — both supported, with safe defaults
- ALPN negotiation — advertises
h2andhttp/1.1 - HTTP/2 over TLS — clients that negotiate
h2via ALPN are handled by the HTTP/2 connection handler automatically
Why rustls?
| Property | rustls | OpenSSL/BoringSSL |
|---|---|---|
| Memory safety | Full Rust guarantees | C code, requires unsafe FFI |
| Performance | Within 5-10% of BoringSSL | Slightly faster RSA |
| Dependency | Pure Rust, ~50KB | C library, ~2MB, cmake |
| Audit history | Cure53 audit (2020) | Multiple audits |
rustls eliminates entire classes of TLS implementation vulnerabilities (buffer overflows, use-after-free) that have produced CVEs in C-based TLS libraries.