TIL the sniproxy I wanted to write already exists. github.com/dlundquist/sni A few gratuitous deps but not too bad.
Conversation
Replying to
nginx also supports it via ssl_preread. You can also split based on APLN (HTTP, XMPP, etc.) and TLS protocol including the non-TLS case to do something like hosting SSH and multiple XMPP / HTTPS servers on the same port if you really wanted to do that.
nginx.org/en/docs/stream
1
1
Replying to
It does the routing without need for any keys? If so, nice. BTW do you know how ESNI works then?
1
Replying to
The preread module does all that without terminating TLS. TLS has ALPN to mark the application-level protocol which is how HTTP/1.1 vs. HTTP/2 works.
As far as I know, ESNI is a dead standard and they're implementing fully encrypted ClientHello. I think it uses a separate key.
In theory, I think preread could support it by dealing with ECH (encrypted ClientHello) on the reverse proxy without it terminating TLS.
At the moment, ESNI/ECH support requires out-of-tree patches. As far as I can tell, Cloudflare never published their patches for nginx.
1
ECH requires an HTTPS DNS record to act as a SRV record providing the public key for ECH. ESNI used a comparable approach. It's a bit odd now. The record essentially replaces A, AAAA, SRV, deals with ECH and also protocol negotiation for HTTP/3.
Mostly not really available yet.
1
Show replies