TIL the sniproxy I wanted to write already exists. github.com/dlundquist/sni A few gratuitous deps but not too bad.
Conversation
Replying to
nginx also supports it via ssl_preread. You can also split based on APLN (HTTP, XMPP, etc.) and TLS protocol including the non-TLS case to do something like hosting SSH and multiple XMPP / HTTPS servers on the same port if you really wanted to do that.
nginx.org/en/docs/stream
1
1
Replying to
It does the routing without need for any keys? If so, nice. BTW do you know how ESNI works then?
1
Replying to
The preread module does all that without terminating TLS. TLS has ALPN to mark the application-level protocol which is how HTTP/1.1 vs. HTTP/2 works.
As far as I know, ESNI is a dead standard and they're implementing fully encrypted ClientHello. I think it uses a separate key.
1
In theory, I think preread could support it by dealing with ECH (encrypted ClientHello) on the reverse proxy without it terminating TLS.
At the moment, ESNI/ECH support requires out-of-tree patches. As far as I can tell, Cloudflare never published their patches for nginx.
1
ECH requires an HTTPS DNS record to act as a SRV record providing the public key for ECH. ESNI used a comparable approach. It's a bit odd now. The record essentially replaces A, AAAA, SRV, deals with ECH and also protocol negotiation for HTTP/3.
Mostly not really available yet.
1
ECH is a nice improvement over ESNI because it will hide the application protocol you're using, among other things. It also takes away the remaining ability to screw things up from middleboxes. Finishes up turning the protocol into a black box for middleboxes.
1
1
Cloudflare could use the nginx preread feature (or at least the same approach) to avoid terminating TLS but they wouldn't be able to offer caching, inject their JavaScript or challenge captchas or most of their other value added features. It could only do basic DDoS protection.
1
I think the only reason they don't offer it is because they wouldn't get to upsell you on all their other features...
It also wouldn't accomplish much compared to just using a hosting provider giving you comparable basic DDoS protection. TLS interception is how they do most.
1
On that note, it's so extremely irritating when anything beyond a website is hosted via Cloudflare's HTTP(S) reverse proxy service. They break anything other than loading HTML followed by other assets via the same connection when they try to serve those annoying challenges...