TLS and Networking

What you'll accomplish: Configure TLS, IP allowlists, CORS policies, request limits, and Unix sockets for your Hoziron deployment.

TLS configuration

Native TLS (bare metal / VM)

[server]
listen = "0.0.0.0:4200"

[server.tls]
enabled = true
cert_path = "/opt/hoziron/tls/cert.pem"
key_path = "/opt/hoziron/tls/key.pem"

Certificate and key paths are validated at startup — the daemon won't start if they're missing or unreadable.

Kubernetes / container (TLS at ingress)

[server]
listen = "0.0.0.0:4200"

[server.tls]
enabled = false

The ingress controller terminates TLS. Traffic between ingress and pod is plaintext within the cluster.

IP allowlist

Restrict access to known CIDR ranges:

[server]
allowed_ips = ["10.0.0.0/8", "192.168.1.100"]

Key details:

  • Supports individual IPs and CIDR notation (IPv4 and IPv6)
  • /health always bypasses the allowlist (orchestrator probes must work)
  • /metrics always bypasses (Prometheus scraping)
  • Unix socket connections bypass (no IP to check)
  • An empty list (allowed_ips = []) is rejected — remove the key entirely to allow all

CORS

Only needed if a web dashboard connects directly to the daemon:

[server.cors]
allowed_origins = ["https://dashboard.company.com"]
allow_credentials = true
max_age_secs = 3600

Validation rules:

  • Cannot use wildcard * with allow_credentials = true
  • Each origin must start with http:// or https://
  • Empty origins list is rejected when CORS is configured

Request limits

[server.limits]
max_request_body_bytes = 10485760   # 10 MB
idle_timeout_secs = 300             # 5 minutes
request_timeout_secs = 600          # 10 minutes
LimitDefaultPurpose
max_request_body_bytes10 MBPrevents memory exhaustion from large payloads
request_timeout_secs600 (10 min)Prevents hung connections
idle_timeout_secs300 (5 min)Reserved for future connection-level enforcement

Unix sockets

Supported for local-only access patterns:

[server]
listen = "unix:///var/run/hoziron.sock"

Current limitation: the CLI cannot connect to Unix sockets yet (reqwest limitation). Use curl --unix-socket or run a TCP listener alongside if CLI access is needed.

Listen address priority

The daemon resolves its listen address in this order (first match wins):

  1. CLI flag: hoziron start --listen 0.0.0.0:4200
  2. Environment variable: HOZIRON_LISTEN=0.0.0.0:4200
  3. Config file: [server].listen
  4. Default: 127.0.0.1:4200

Network architecture

Next steps

Related: