TLS lazyweb: does SNI work such that you can proxy it? One process accepts connection, but doesn't have any keys, and forwards to the right backend based on name?
-
Show this thread
-
Replying to @RichFelker
yes? the client sends the SNI as part of the handshake, the server it's connecting to can then present the right cert?
1 reply 0 retweets 0 likes -
Replying to @kyhwana
I mean: is there state at this point that would be nontrivial to hand off to the backend? Or can the multiplexing proxy just wait til it's seen the SNI name, then forward everything seen so far and all future traffic to the right backend?
1 reply 0 retweets 0 likes -
Replying to @RichFelker
having not written a load balancer, i'm not sure how trivial that is. It has to wait till it's seen the SNI to decide where to send it? I think cloudflare has done work on this kinda thing?
1 reply 0 retweets 0 likes -
Ok, so a big yes and it's already done. Heavier deps than I'd like but I might just go with it or copy out the concept to a minimal subset.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.