The KSP Gateway: HTTPS → Gateway → KSP
How do you actually use an experimental binary protocol when standard web browsers only speak HTTP and WebSockets? You deploy the high-speed KSP Edge Gateway.
HTTPS → Gateway → KSP Architecture
Because native browsers cannot open raw TCP/9876 sockets with custom framing, KSP employs an edge Gateway Reverse Proxy that terminates standard HTTPS/WebSockets and translates them into high-speed, multiplexed KSP v1.0 binary frames.
Web Browser / Mobile Client
Speaks standard HTTPS/WebSockets (TLS 1.3 over TCP 443). Connects seamlessly without requiring custom operating system kernel drivers or modified browser builds.
KSP Edge Gateway Proxy
Written in Rust (`tokio` + `hyper`). Terminates TLS 1.3 from public clients, authenticates bearer/API tokens, and translates HTTP payloads directly into KSP v1.0 binary frames.
KSP Rust Core Daemon
Receives pure KSP binary frames over TCP (`9876/tcp`). Handles up to 256 multiplexed bidirectional streams per connection with sliding-window replay bitmaps and AES-256-GCM AEAD.
Browser Compatibility
Because browsers prevent web applications from opening arbitrary raw TCP sockets on port `9876`, the Gateway acts as a WebSocket/HTTPS bridge for frontend clients (`/playground`, early 2027 browser preview).
Backend TLS Offloading
Your internal microservices run pure KSP v1.0 binary framing without wasting CPU cycles handling complex public X.509 certificate validation, ASN.1 parsing, or HTTP header compression tables.
Connection Pooling & Multiplexing
The Gateway maintains persistent, pre-authenticated KSP sessions (`up to 256 streams per connection`) with backend workers, eliminating TCP handshake overhead for bursty frontend traffic.
Step-by-Step: From HTTP Request to KSP Stream Frame
Public Client Initiation (HTTPS / WSS)
Standard browsers, mobile apps, or curl clients connect to the KSP Gateway over TCP port 443 using standard TLS 1.3.
GET /v1/telemetry/stream HTTP/1.1
Host: api.ksp.dev
Authorization: Bearer ksp_live_9a8b...
Connection: Upgrade
Upgrade: websocketEdge Reverse Proxy Termination & Auth
The Rust `tokio`/`hyper` Gateway terminates the TLS session, extracts the bearer token, verifies rate limits in memory (`O(1)` token bucket), and prepares the KSP stream channel.
// Rust Gateway Worker
let auth_token = req.headers().get("authorization").unwrap();
if rate_limiter.check_token(auth_token).is_ok() {
let ksp_channel = pool.get_connection("10.0.0.42:9876").await?;
}Binary Frame Translation (Zero JSON Bloat)
The Gateway strips HTTP headers and wraps the payload into a 48B KSP v1.0 header (`StreamOpen` / `StreamData`), assigns a multiplexed `Stream ID`, and computes the AES-256-GCM AEAD tag.
let header = KspHeader {
magic: 0x4B535031,
version: 0x10,
packet_type: PacketType::StreamData as u8,
stream_id: 104,
sequence_number: session.next_seq(),
};
let frame = session.encrypt_frame(header, &payload_bytes)?;
backend_socket.write_all(&frame).await?;Backend Multiplexed Stream Delivery
The core KSP Rust backend daemon (`ksp-server` on `9876/tcp`) receives the binary frame, verifies the sequence bitmap (`highest_seq`), decrypts the AEAD payload, and processes the stream in microseconds.
// Core KSP Backend Daemon
match packet.header.packet_type {
PacketType::StreamData => {
let stream = session.get_stream_mut(packet.header.stream_id);
stream.push_buffer(packet.decrypted_payload).await;
}
}Running `ksp-gateway` in Your Cluster
Deploy our pre-built Docker container or compile the standalone Rust binary to start relaying HTTPS traffic to your internal KSP workers today.
$ cargo install ksp-gateway
$ ksp-gateway \
--listen 0.0.0.0:443 \
--cert /etc/ssl/gateway.crt \
--key /etc/ssl/gateway.key \
--forward-ksp 10.0.0.10:9876 \
--max-streams 256services:
ksp-gateway:
image: kush2272/ksp-gateway:v1.0
ports:
- "443:443"
environment:
- KSP_BACKEND=ksp-core-worker:9876
- RATE_LIMIT_TOKENS=10000
depends_on:
- ksp-core-worker