TIL the sniproxy I wanted to write already exists. github.com/dlundquist/sni A few gratuitous deps but not too bad.
Conversation
Replying to
nginx also supports it via ssl_preread. You can also split based on APLN (HTTP, XMPP, etc.) and TLS protocol including the non-TLS case to do something like hosting SSH and multiple XMPP / HTTPS servers on the same port if you really wanted to do that.
nginx.org/en/docs/stream
Replying to
It does the routing without need for any keys? If so, nice. BTW do you know how ESNI works then?
1
Replying to
The preread module does all that without terminating TLS. TLS has ALPN to mark the application-level protocol which is how HTTP/1.1 vs. HTTP/2 works.
As far as I know, ESNI is a dead standard and they're implementing fully encrypted ClientHello. I think it uses a separate key.
1
Show replies