HTTP vs. L4 Routing — When to Use Which?
🌐 Networking & Routing
·
Updated 3 weeks ago
HTTP vs. L4 Routing — When to Use Which?
GateControl supports two routing types: HTTP Routing (Layer 7) for domain-based routing with all HTTP features, and L4 Routing (Layer 4) for raw TCP/UDP port forwarding.
Quick Rule
If the service is accessed in a browser (HTTP/HTTPS), use HTTP Routing. If it's a non-HTTP protocol (SSH, database, game server), use L4 Routing.
Feature Comparison
| Feature | HTTP (Layer 7) | L4 (Layer 4) |
|---|---|---|
| Routing method | Domain-based | Port-based |
| HTTPS / Let's Encrypt | Yes | Only with TLS Terminate |
| Compression | Yes | No |
| Rate Limiting | Yes | No |
| Auth (Basic/Route) | Yes | No |
| Peer ACL | Yes | No |
| Retry / Circuit Breaker | Yes | No |
| Uptime Monitoring | HTTP Check | TCP Check |
| WebSocket | Yes (Upgrade) | Yes (as TCP) |
Typical L4 Use Cases
- Minecraft Server: TCP, Port 25565, TLS: None
- SSH Access: TCP, Listen Port 2222 → Target Port 22
- Database: TCP, Listen Port 5433 → Target Port 5432
- Game Server (UDP): UDP, Port 27015
L4 TLS Modes
| Mode | Description |
|---|---|
| None | No TLS, raw TCP/UDP traffic |
| Passthrough | TLS passed through, end-to-end encryption |
| Terminate | Caddy terminates TLS with Let's Encrypt, backend gets unencrypted TCP |
Important
- L4 routes use exclusive ports (with TLS None)
- Multiple L4 routes with TLS can share the same port (SNI-based)
- L4 routes have no HTTP features
WebSocket Support
HTTP Routes: WebSocket connections start as a regular HTTP request with a Connection: Upgrade header. Caddy detects this automatically and switches to a persistent WebSocket connection — no configuration needed.
L4 Routes: Since L4 forwards the raw TCP stream, WebSocket works here too — Caddy forwards TCP packets 1:1.