TLS Endpoints can be created using the
aptible endpoints:tls:create command.
TLS Endpoints terminate TLS traffic and transfer it as plain TCP to your app.
TLS Endpoints are configured similarly to TCP Endpoints.
The Endpoint will listen for TLS traffic on exposed ports and transfer it as TCP traffic to your app over the same port. For example, if your Image exposes port
123, the Endpoint will listen for TLS traffic on port
123, and forward it as TCP traffic to your app Containers on port
❗️ Unlike HTTP(S) Endpoints, TLS Endpoints currently do not provide Zero-Downtime Deployment. If you require Zero-Downtime Deployments for a TLS app, you'd need to architect it yourself, e.g. at the DNS level.
SSL / TLS Settings
Aptible offer a few ways to configure the protocols used by your endpoints for TLS termination through a set of Configuration variables. These are the same variables as can be defined for HTTP(S) Endpoints. If set once on the application, they will apply to all TLS and HTTPS endpoints for that application.
SSL_PROTOCOLS_OVERRIDE: Control SSL / TLS Protocols
SSL_PROTOCOLS_OVERRIDE variable lets you customize the SSL Protocols allowed on your Endpoint. The format is that of Nginx's ssl_protocols directive. Pay very close attention to the format, as a bad variable will prevent the proxies from starting.
SSL_CIPHERS_OVERRIDE: Control ciphers
This variable lets you customize the SSL Ciphers used by your Endpoint.
The format is a string accepted by Nginx for its ssl_ciphers directive.
Pay very close attention to the required format, as here, again a bad variable will prevent the proxies from starting.
DISABLE_WEAK_CIPHER_SUITES: an opinionated policy
Setting this variable to
true (it has to be the exact string
true) causes your Endpoint to stop accepting traffic over the
SSLv3 protocol or using the
We strongly recommend setting this variable to
true on all TLS Endpoints nowadays.
aptible config:set --app "$APP_HANDLE" \ "SSL_PROTOCOLS_OVERRIDE=TLSv1.1 TLSv1.2"
# Note: the value to enable DISABLE_WEAK_CIPHER_SUITES is the string "true" # Setting it to e.g. "1" won't work. aptible config:set --app "$APP_HANDLE" \ DISABLE_WEAK_CIPHER_SUITES=true