Listeners & TLS#

InfraGuard binds one or more HTTPS (or HTTP) listeners. Each listener declares the interface, port, TLS material, and which domains it serves.

Schema#

listeners:
  - protocol: "https"        # https | http
    bind: "0.0.0.0"          # interface to bind
    port: 443
    tls:
      cert: "${INFRAGUARD_TLS_CERT}"   # path to PEM cert (chain)
      key: "${INFRAGUARD_TLS_KEY}"     # path to PEM private key
    domains:
      - "cdn.example.com"    # SNI hostnames served by this listener

Multiple Listeners#

Run C2 on 443 and a phishing redirector on 8443 in a single process:

listeners:
  - protocol: "https"
    bind: "0.0.0.0"
    port: 443
    tls:
      cert: "${C2_CERT}"
      key: "${C2_KEY}"
    domains:
      - "cdn.example.com"

  - protocol: "https"
    bind: "0.0.0.0"
    port: 8443
    tls:
      cert: "${PHISH_CERT}"
      key: "${PHISH_KEY}"
    domains:
      - "phish.example.com"

HTTP (No TLS)#

For lab use or when TLS is terminated upstream (Caddy, nginx, CDN):

listeners:
  - protocol: "http"
    bind: "127.0.0.1"
    port: 8080
    domains:
      - "localhost"

Never run HTTP listeners on a public interface in production. TLS is required — HTTP exposes the C2 profile and all implant traffic in plaintext.

Domain Routing#

The domains list under each listener determines which hostnames InfraGuard accepts. Requests with an SNI/Host header not in any listener’s domain list are dropped.

Each domain listed here must have a corresponding key in the top-level domains: map. See Domains & Upstream.

Backward Configuration Domains & Upstream Forward