Summary
Backend H2 connections are always Connection<TcpStream> (cleartext) in Router.backends: HashMap<Token, Connection<TcpStream>> at lib/src/protocol/mux/mod.rs.
This means H2 backend proxying uses h2c (cleartext HTTP/2) to upstreams. For environments requiring end-to-end encryption (e.g., mutual TLS to backends, zero-trust networking), backends should support TLS wrapping.
Current state
- Frontend: supports both
TcpStream (HTTP) and FrontRustls (HTTPS)
- Backend: only
TcpStream — no TLS
Possible approach
- Introduce a backend TLS wrapper (similar to
FrontRustls but for client-initiated connections)
- Add a per-cluster
backend_tls config flag alongside the existing http2 flag
- Backend
Connection<TlsStream> variant for TLS-wrapped upstreams
Priority
Low — most deployments terminate TLS at the proxy and use plaintext to trusted backends.
Summary
Backend H2 connections are always
Connection<TcpStream>(cleartext) inRouter.backends: HashMap<Token, Connection<TcpStream>>atlib/src/protocol/mux/mod.rs.This means H2 backend proxying uses h2c (cleartext HTTP/2) to upstreams. For environments requiring end-to-end encryption (e.g., mutual TLS to backends, zero-trust networking), backends should support TLS wrapping.
Current state
TcpStream(HTTP) andFrontRustls(HTTPS)TcpStream— no TLSPossible approach
FrontRustlsbut for client-initiated connections)backend_tlsconfig flag alongside the existinghttp2flagConnection<TlsStream>variant for TLS-wrapped upstreamsPriority
Low — most deployments terminate TLS at the proxy and use plaintext to trusted backends.