Conversation

TIL the sniproxy I wanted to write already exists. github.com/dlundquist/sni A few gratuitous deps but not too bad.

GitHub - dlundquist/sniproxy: Proxies incoming HTTP and TLS connections based on the hostname...

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. - GitHub - dlundquist/sniproxy: Proxies incoming HTTP and TLS connections based ...

Replying to

nginx also supports it via ssl_preread. You can also split based on APLN (HTTP, XMPP, etc.) and TLS protocol including the non-TLS case to do something like hosting SSH and multiple XMPP / HTTPS servers on the same port if you really wanted to do that. nginx.org/en/docs/stream

Replying to

It does the routing without need for any keys? If so, nice. BTW do you know how ESNI works then?

Replying to

The preread module does all that without terminating TLS. TLS has ALPN to mark the application-level protocol which is how HTTP/1.1 vs. HTTP/2 works. As far as I know, ESNI is a dead standard and they're implementing fully encrypted ClientHello. I think it uses a separate key.

Replying to

and

In theory, I think preread could support it by dealing with ECH (encrypted ClientHello) on the reverse proxy without it terminating TLS. At the moment, ESNI/ECH support requires out-of-tree patches. As far as I can tell, Cloudflare never published their patches for nginx.

Replying to

and

ECH requires an HTTPS DNS record to act as a SRV record providing the public key for ECH. ESNI used a comparable approach. It's a bit odd now. The record essentially replaces A, AAAA, SRV, deals with ECH and also protocol negotiation for HTTP/3. Mostly not really available yet.

Replying to

and

ECH is a nice improvement over ESNI because it will hide the application protocol you're using, among other things. It also takes away the remaining ability to screw things up from middleboxes. Finishes up turning the protocol into a black box for middleboxes.

Replying to

and

Cloudflare could use the nginx preread feature (or at least the same approach) to avoid terminating TLS but they wouldn't be able to offer caching, inject their JavaScript or challenge captchas or most of their other value added features. It could only do basic DDoS protection.

Replying to

and

I think the only reason they don't offer it is because they wouldn't get to upsell you on all their other features... It also wouldn't accomplish much compared to just using a hosting provider giving you comparable basic DDoS protection. TLS interception is how they do most.

3:05 PM · Apr 24, 2021Twitter Web App

Replying to

and

On that note, it's so extremely irritating when anything beyond a website is hosted via Cloudflare's HTTP(S) reverse proxy service. They break anything other than loading HTML followed by other assets via the same connection when they try to serve those annoying challenges...