Otdfbt

What did the 8086 (and 8088) do upon encountering an illegal instruction?

Do Veracrypt encrypted volumes have any kind of brute force protection?

Jam with honey & without pectin has a saucy consistency always

Idiom for 'person who gets violent when drunk"

When a class dynamically allocates itself at constructor, why does stack overflow happen instead of std::bad_alloc?

If the pressure inside and outside a balloon balance, then why does air leave when it pops?

Undocumented incompatibility between changes and siunitx?

Is the first of the 10 Commandments considered a mitzvah?

Why does there seem to be an extreme lack of public trashcans in Taiwan?

Print "N NE E SE S SW W NW"

How do I change my LaTex document to follow some Word requirements?

What do I need to do, tax-wise, for a sudden windfall?

Why is it bad to use your whole foot in rock climbing

Course development: can I pay someone to make slides for the course?

What is the language spoken in Babylon?

In The Incredibles 2, why does Screenslaver's name use a pun on something that doesn't exist in the 1950s pastiche?

Why did Robert pick unworthy men for the White Cloaks?

Purpose of cylindrical attachments on Power Transmission towers

Are skill challenges an official option or homebrewed?

What is Gilligan's full name?

Realistic, logical way for men with medieval-era weaponry to compete with much larger and physically stronger foes

Simple log rotation script

Can I use 220 V outlets on a 15 ampere breaker and wire it up as 110 V?

Parsing text written the millitext font

Generic SNI-based transparent TLS proxy without having to enumerate all backends?

Can a Reverse Proxy use SNI with SSL pass through?How can I debug nginx further than the error log?HAproxy drops data on the floor when client disconnects immediately after sending datahaproxy how to acl to pass only list of ip's and domains need to be redirected to backendsHAProxy outbound ephemeral port loggingDoes NGINX support SNI or does it not?reconfiguring haproxy backend dynamicallynginx reverse proxy for HTTPS/SSL: how to pass certificates?Enabling TLS/SSL with SNI on a subset of websites, without losing SEO ranking on the non-TLS sitesprevent X-Forwarded-For spoofing in haproxyHAproxy with RabbitMQ - how to get the client ip information in RabbitMQ?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I'm in a situation where I have to provide a transparent reverse proxy in front of a set of thousands of backend https webservers, with the list changing (relatively) frequently.

I know I can tell haproxy to select a backend to connect to based on the SNI string the client sends along with the Client Hello (see e.g. Can a Reverse Proxy use SNI with SSL pass through?), but it seems I would need to enumerate all backends and refer to them individually in the configuration; i.e. "if SNI is so-and-so, talk to backend this-and-that".

I'd instead like to just take the SNI string from the Client Hello, look it up in DNS, connect to the IP DNS provides (on tcp port 443), relay the client hello to the server, and then keep relaying between the client and the server.

I don't want to inspect the traffic and don't want to install a new certificate on the clients.

Can haproxy do this? If not, what other program can?

nginx reverse-proxy https haproxy sni

share|improve this question

asked May 28 at 20:13

András KornAndrás Korn

41128

add a comment | 

0

I'm in a situation where I have to provide a transparent reverse proxy in front of a set of thousands of backend https webservers, with the list changing (relatively) frequently.

I know I can tell haproxy to select a backend to connect to based on the SNI string the client sends along with the Client Hello (see e.g. Can a Reverse Proxy use SNI with SSL pass through?), but it seems I would need to enumerate all backends and refer to them individually in the configuration; i.e. "if SNI is so-and-so, talk to backend this-and-that".

I'd instead like to just take the SNI string from the Client Hello, look it up in DNS, connect to the IP DNS provides (on tcp port 443), relay the client hello to the server, and then keep relaying between the client and the server.

I don't want to inspect the traffic and don't want to install a new certificate on the clients.

Can haproxy do this? If not, what other program can?

nginx reverse-proxy https haproxy sni

share|improve this question

asked May 28 at 20:13

András KornAndrás Korn

41128

add a comment | 

I'm in a situation where I have to provide a transparent reverse proxy in front of a set of thousands of backend https webservers, with the list changing (relatively) frequently.

I know I can tell haproxy to select a backend to connect to based on the SNI string the client sends along with the Client Hello (see e.g. Can a Reverse Proxy use SNI with SSL pass through?), but it seems I would need to enumerate all backends and refer to them individually in the configuration; i.e. "if SNI is so-and-so, talk to backend this-and-that".

I'd instead like to just take the SNI string from the Client Hello, look it up in DNS, connect to the IP DNS provides (on tcp port 443), relay the client hello to the server, and then keep relaying between the client and the server.

I don't want to inspect the traffic and don't want to install a new certificate on the clients.

Can haproxy do this? If not, what other program can?

nginx reverse-proxy https haproxy sni

share|improve this question

asked May 28 at 20:13

András KornAndrás Korn

41128

share|improve this question

asked May 28 at 20:13

András KornAndrás Korn

41128

share|improve this question

asked May 28 at 20:13

András KornAndrás Korn

41128

asked May 28 at 20:13

András KornAndrás Korn

41128

asked May 28 at 20:13

András KornAndrás Korn

41128

1 Answer
1

active

oldest

votes

2

I ended up using nginx with the stream SSL preread module.

The configuration is dead simple:

stream 
 server 
 resolver 127.0.0.1;
 listen 443;
 ssl_preread on;
 proxy_pass $ssl_preread_server_name:443;
 

No http block would even be needed, but nginx segfaulted for me if I omitted it, so I have an empty http block in the config. Only the stream module is loaded. The resolver is needed for nginx to be able to look up the backend names in DNS; I have a caching recursive resolver on 127.0.0.1.

I make it so all clients that need to connect to any of the backends connect to my nginx instead (using a combination of split horizon DNS and DNAT), and nginx connects to the actual backends on their behalf. It's completely transparent to the clients.

share|improve this answer

answered May 28 at 20:13

András KornAndrás Korn

41128

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969214%2fgeneric-sni-based-transparent-tls-proxy-without-having-to-enumerate-all-backends%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

I ended up using nginx with the stream SSL preread module.

The configuration is dead simple:

stream 
 server 
 resolver 127.0.0.1;
 listen 443;
 ssl_preread on;
 proxy_pass $ssl_preread_server_name:443;
 

No http block would even be needed, but nginx segfaulted for me if I omitted it, so I have an empty http block in the config. Only the stream module is loaded. The resolver is needed for nginx to be able to look up the backend names in DNS; I have a caching recursive resolver on 127.0.0.1.

I make it so all clients that need to connect to any of the backends connect to my nginx instead (using a combination of split horizon DNS and DNAT), and nginx connects to the actual backends on their behalf. It's completely transparent to the clients.

share|improve this answer

answered May 28 at 20:13

András KornAndrás Korn

41128

add a comment | 

2

I ended up using nginx with the stream SSL preread module.

The configuration is dead simple:

stream 
 server 
 resolver 127.0.0.1;
 listen 443;
 ssl_preread on;
 proxy_pass $ssl_preread_server_name:443;
 

No http block would even be needed, but nginx segfaulted for me if I omitted it, so I have an empty http block in the config. Only the stream module is loaded. The resolver is needed for nginx to be able to look up the backend names in DNS; I have a caching recursive resolver on 127.0.0.1.

I make it so all clients that need to connect to any of the backends connect to my nginx instead (using a combination of split horizon DNS and DNAT), and nginx connects to the actual backends on their behalf. It's completely transparent to the clients.

share|improve this answer

answered May 28 at 20:13

András KornAndrás Korn

41128

add a comment | 

I ended up using nginx with the stream SSL preread module.

The configuration is dead simple:

stream 
 server 
 resolver 127.0.0.1;
 listen 443;
 ssl_preread on;
 proxy_pass $ssl_preread_server_name:443;
 

No http block would even be needed, but nginx segfaulted for me if I omitted it, so I have an empty http block in the config. Only the stream module is loaded. The resolver is needed for nginx to be able to look up the backend names in DNS; I have a caching recursive resolver on 127.0.0.1.

I make it so all clients that need to connect to any of the backends connect to my nginx instead (using a combination of split horizon DNS and DNAT), and nginx connects to the actual backends on their behalf. It's completely transparent to the clients.

share|improve this answer

answered May 28 at 20:13

András KornAndrás Korn

41128

stream 
 server 
 resolver 127.0.0.1;
 listen 443;
 ssl_preread on;
 proxy_pass $ssl_preread_server_name:443;
 

share|improve this answer

answered May 28 at 20:13

András KornAndrás Korn

41128

answered May 28 at 20:13

András KornAndrás Korn

41128

answered May 28 at 20:13

András KornAndrás Korn

41128