Ryfujk

Difference between 'stomach' and 'uterus'

Any ideas to make an Electronic Voter Machine more secure?

Is it possible to counterspell the revised Artificer?

Specific Chinese carabiner QA?

How to substitute values from a list into a function?

Misplaced tyre lever - alternatives?

Reason why dimensional travelling would be restricted

Does "legal poaching" exist?

Can I cast a spell through the Invoke Duplicity clone while inside a Forcecage?

What does each site of a vanilla 9.1 installation do?

Why use a Gaussian mixture model?

apt: What's the difference between "apt install php" and "apt install php-defaults"?

Plagiarism of code by other PhD student

1970s scifi/horror novel where protagonist is used by a crablike creature to feed its larvae, goes mad, and is defeated by retraumatising him

How do I deal with being envious of my own players?

How do you say “my friend is throwing a party, do you wanna come?” in german

Can a space-faring robot still function over a billion years?

Why is it "take a leak?"

How to get the first first element while continue streaming?

Why do phishing e-mails use faked e-mail addresses instead of the real one?

Levi-Civita symbol: 3D matrix

Can a gentile pronounce a blessing for a Jew? Are there songs I can sing that will bring peace?

How to use math.log10() function on whole pandas dataframe

Four buttons on a table

Can a Reverse Proxy use SNI with SSL pass through?

Apache mod_proxy with HTTPS without key material (using SNI)Nginx forward tls based on domainGitLab SSL with reverse proxy on another machineSupport virtualhost routing without SNI support in the clientReverse proxying multiple different dockerized HTTPS servicesFor many different TCP hosts, how can I differentiate and route them from the same external IP?nginx as reverse proxy with upstream SSLJenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNIReverse Proxy Server SSL?Multiple SSL certificates with Squid reverse proxyConfigure Nginx as reverse proxy with upstream SSLAlfresco Nginx SSL Reverse ProxyDockerized Apache + SSL behind NGINX as reverse proxySquid reverse proxy with multiple SSL-certificates via SNINginx reverse proxy pass through client certificatenginx reverse proxy for HTTPS/SSL: how to pass certificates?

15

10

I need to serve several applications over https using one external ip address.

The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers.

Can a reverse proxy be configured to use SNI and pass ssl through for termination at the endpoint?

Is this possible using something like Nginx or Apache? What does the configuration look like?

reverse-proxy https sni

share|improve this question

asked Aug 31 '14 at 23:10

user319862user319862

3672515

add a comment | 

15

10

I need to serve several applications over https using one external ip address.

The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers.

Can a reverse proxy be configured to use SNI and pass ssl through for termination at the endpoint?

Is this possible using something like Nginx or Apache? What does the configuration look like?

reverse-proxy https sni

share|improve this question

asked Aug 31 '14 at 23:10

user319862user319862

3672515

add a comment | 

I need to serve several applications over https using one external ip address.

The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers.

Can a reverse proxy be configured to use SNI and pass ssl through for termination at the endpoint?

Is this possible using something like Nginx or Apache? What does the configuration look like?

reverse-proxy https sni

share|improve this question

asked Aug 31 '14 at 23:10

user319862user319862

3672515

share|improve this question

asked Aug 31 '14 at 23:10

user319862user319862

3672515

share|improve this question

asked Aug 31 '14 at 23:10

user319862user319862

3672515

asked Aug 31 '14 at 23:10

user319862user319862

3672515

asked Aug 31 '14 at 23:10

user319862user319862

3672515

3 Answers
3

active

oldest

votes

14

This IS possible with Haproxy. You can setup a TCP proxy and extract the SNI and do routing based on the SNI. Here's an example:

backend be.app1

    mode tcp

    no option checkcache

    no option httpclose

    tcp-request inspect-delay 5s

    tcp-request content accept if { req.ssl_hello_type 1 }

    tcp-request content reject

    use-server server1 if { req.ssl_sni -m beg app1. }

    server server1 server1:8443 check id 1 weight 0

It is essential to delay the request until you get the SSL hello, otherwise haproxy will try to make a connection before receiving the SNI header.

I am using servers with weight 0 because, in my current configuration, I only have one server running for each SNI and I don't want them to receive random requests. You can probably find better ways to play with this.

I hope this helps.

share|improve this answer

edited Aug 31 '14 at 23:26

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Can you point me towards any documentation of this or a configuration snippet so I can accept the answer?
  
  – user319862
  Aug 31 '14 at 23:17
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @user319862 I found this nice tutorial which seems to be what's being discussed.
  
  – Michael Hampton♦
  Aug 31 '14 at 23:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Really? Why would someone downvote this answer?
  
  – Florin Asăvoaie
  Sep 1 '14 at 6:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The problem with this is that the IP address of the client doesn't get forwarded, so the server only ever sees traffic coming from the proxy.
  
  – Kyle
  Apr 28 '17 at 18:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Kyle Of course. It is TCP proxy. The only thing you can do about this is if you configure and set haproxy as a router for the server and use tproxy.
  
  – Florin Asăvoaie
  Apr 29 '17 at 9:47
  

  
  
  
  

 | 
show 1 more comment

5

You can use sniproxy : https://github.com/dlundquist/sniproxy

An example configuration :

listener 0.0.0.0:443 {

    protocol tls

    table TableHTTPS

    fallback 127.0.0.1:8443

}



listener 0.0.0.0:80 {

    protocol http

    table TableHTTP

    fallback 127.0.0.1:8080

}



table TableHTTPS {

    domain1.com backend1:443

    domain2.org backend2:443

}



table TableHTTP {

    domain1.com backend1:80

    domain2.org backend2:80

}

share|improve this answer

answered Dec 6 '15 at 14:20

mickmick

57056

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for posting about that project. I was not aware of it
  
  – user319862
  Dec 7 '15 at 4:07
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @mick Hi mick when run SNI as a transparent proxy it break some sites wiht SSL errors. How to fix it ?
  
  – charith
  May 8 '17 at 9:38
  

  
  
  
  

add a comment | 

1

This is certainly possible, even now in 2019 with the upcoming TLS 1.3! Many web servers or specialized reverse proxies provide this functionality out of the box:

• Nginx ≥ 1.11.5 (Debian ≥ buster or stretch-backports)


• HAProxy ≥ 1.5 (Debian ≥ jessie)


• Sniproxy (Debian ≥ buster)


• etc.

This is an example configuration for Nginx, which is a very popular choice for setups that require a reverse proxy:

stream {

  map $ssl_preread_server_name $selected_upstream {

    example.org upstream_1;

    example.net upstream_2;

    example.com upstream_3;

    default upstream_4;

  }

  upstream upstream_1 { server 10.0.0.1:443; }

  upstream upstream_2 { server 10.0.0.2:443; }

  upstream upstream_3 { server 10.0.0.3:443; }

  upstream upstream_4 { server 10.0.0.4:443; }

  server {

    listen 10.0.0.5:443;

    proxy_pass $selected_upstream;

    ssl_preread on;

  }

}

The relevant Nginx modules are stream_core and stream_ssl_preread. Manuals:

• https://nginx.org/en/docs/stream/ngx_stream_core_module.html


• https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

share|improve this answer

edited 2 mins ago

answered Feb 5 at 22:58

vogvog

35029

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f625362%2fcan-a-reverse-proxy-use-sni-with-ssl-pass-through%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

14

This IS possible with Haproxy. You can setup a TCP proxy and extract the SNI and do routing based on the SNI. Here's an example:

backend be.app1

    mode tcp

    no option checkcache

    no option httpclose

    tcp-request inspect-delay 5s

    tcp-request content accept if { req.ssl_hello_type 1 }

    tcp-request content reject

    use-server server1 if { req.ssl_sni -m beg app1. }

    server server1 server1:8443 check id 1 weight 0

It is essential to delay the request until you get the SSL hello, otherwise haproxy will try to make a connection before receiving the SNI header.

I am using servers with weight 0 because, in my current configuration, I only have one server running for each SNI and I don't want them to receive random requests. You can probably find better ways to play with this.

I hope this helps.

share|improve this answer

edited Aug 31 '14 at 23:26

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Can you point me towards any documentation of this or a configuration snippet so I can accept the answer?
  
  – user319862
  Aug 31 '14 at 23:17
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @user319862 I found this nice tutorial which seems to be what's being discussed.
  
  – Michael Hampton♦
  Aug 31 '14 at 23:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Really? Why would someone downvote this answer?
  
  – Florin Asăvoaie
  Sep 1 '14 at 6:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The problem with this is that the IP address of the client doesn't get forwarded, so the server only ever sees traffic coming from the proxy.
  
  – Kyle
  Apr 28 '17 at 18:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Kyle Of course. It is TCP proxy. The only thing you can do about this is if you configure and set haproxy as a router for the server and use tproxy.
  
  – Florin Asăvoaie
  Apr 29 '17 at 9:47
  

  
  
  
  

 | 
show 1 more comment

14

This IS possible with Haproxy. You can setup a TCP proxy and extract the SNI and do routing based on the SNI. Here's an example:

backend be.app1

    mode tcp

    no option checkcache

    no option httpclose

    tcp-request inspect-delay 5s

    tcp-request content accept if { req.ssl_hello_type 1 }

    tcp-request content reject

    use-server server1 if { req.ssl_sni -m beg app1. }

    server server1 server1:8443 check id 1 weight 0

It is essential to delay the request until you get the SSL hello, otherwise haproxy will try to make a connection before receiving the SNI header.

I am using servers with weight 0 because, in my current configuration, I only have one server running for each SNI and I don't want them to receive random requests. You can probably find better ways to play with this.

I hope this helps.

share|improve this answer

edited Aug 31 '14 at 23:26

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Can you point me towards any documentation of this or a configuration snippet so I can accept the answer?
  
  – user319862
  Aug 31 '14 at 23:17
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  @user319862 I found this nice tutorial which seems to be what's being discussed.
  
  – Michael Hampton♦
  Aug 31 '14 at 23:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Really? Why would someone downvote this answer?
  
  – Florin Asăvoaie
  Sep 1 '14 at 6:41
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The problem with this is that the IP address of the client doesn't get forwarded, so the server only ever sees traffic coming from the proxy.
  
  – Kyle
  Apr 28 '17 at 18:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Kyle Of course. It is TCP proxy. The only thing you can do about this is if you configure and set haproxy as a router for the server and use tproxy.
  
  – Florin Asăvoaie
  Apr 29 '17 at 9:47
  

  
  
  
  

 | 
show 1 more comment

This IS possible with Haproxy. You can setup a TCP proxy and extract the SNI and do routing based on the SNI. Here's an example:

backend be.app1

    mode tcp

    no option checkcache

    no option httpclose

    tcp-request inspect-delay 5s

    tcp-request content accept if { req.ssl_hello_type 1 }

    tcp-request content reject

    use-server server1 if { req.ssl_sni -m beg app1. }

    server server1 server1:8443 check id 1 weight 0

It is essential to delay the request until you get the SSL hello, otherwise haproxy will try to make a connection before receiving the SNI header.

I am using servers with weight 0 because, in my current configuration, I only have one server running for each SNI and I don't want them to receive random requests. You can probably find better ways to play with this.

I hope this helps.

share|improve this answer

edited Aug 31 '14 at 23:26

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

backend be.app1

    mode tcp

    no option checkcache

    no option httpclose

    tcp-request inspect-delay 5s

    tcp-request content accept if { req.ssl_hello_type 1 }

    tcp-request content reject

    use-server server1 if { req.ssl_sni -m beg app1. }

    server server1 server1:8443 check id 1 weight 0

share|improve this answer

edited Aug 31 '14 at 23:26

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

answered Aug 31 '14 at 23:14

Florin AsăvoaieFlorin Asăvoaie

6,3161633

5

You can use sniproxy : https://github.com/dlundquist/sniproxy

An example configuration :

listener 0.0.0.0:443 {

    protocol tls

    table TableHTTPS

    fallback 127.0.0.1:8443

}



listener 0.0.0.0:80 {

    protocol http

    table TableHTTP

    fallback 127.0.0.1:8080

}



table TableHTTPS {

    domain1.com backend1:443

    domain2.org backend2:443

}



table TableHTTP {

    domain1.com backend1:80

    domain2.org backend2:80

}

share|improve this answer

answered Dec 6 '15 at 14:20

mickmick

57056

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for posting about that project. I was not aware of it
  
  – user319862
  Dec 7 '15 at 4:07
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @mick Hi mick when run SNI as a transparent proxy it break some sites wiht SSL errors. How to fix it ?
  
  – charith
  May 8 '17 at 9:38
  

  
  
  
  

add a comment | 

5

You can use sniproxy : https://github.com/dlundquist/sniproxy

An example configuration :

listener 0.0.0.0:443 {

    protocol tls

    table TableHTTPS

    fallback 127.0.0.1:8443

}



listener 0.0.0.0:80 {

    protocol http

    table TableHTTP

    fallback 127.0.0.1:8080

}



table TableHTTPS {

    domain1.com backend1:443

    domain2.org backend2:443

}



table TableHTTP {

    domain1.com backend1:80

    domain2.org backend2:80

}

share|improve this answer

answered Dec 6 '15 at 14:20

mickmick

57056

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for posting about that project. I was not aware of it
  
  – user319862
  Dec 7 '15 at 4:07
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @mick Hi mick when run SNI as a transparent proxy it break some sites wiht SSL errors. How to fix it ?
  
  – charith
  May 8 '17 at 9:38
  

  
  
  
  

add a comment | 

You can use sniproxy : https://github.com/dlundquist/sniproxy

An example configuration :

listener 0.0.0.0:443 {

    protocol tls

    table TableHTTPS

    fallback 127.0.0.1:8443

}



listener 0.0.0.0:80 {

    protocol http

    table TableHTTP

    fallback 127.0.0.1:8080

}



table TableHTTPS {

    domain1.com backend1:443

    domain2.org backend2:443

}



table TableHTTP {

    domain1.com backend1:80

    domain2.org backend2:80

}

share|improve this answer

answered Dec 6 '15 at 14:20

mickmick

57056

listener 0.0.0.0:443 {

    protocol tls

    table TableHTTPS

    fallback 127.0.0.1:8443

}



listener 0.0.0.0:80 {

    protocol http

    table TableHTTP

    fallback 127.0.0.1:8080

}



table TableHTTPS {

    domain1.com backend1:443

    domain2.org backend2:443

}



table TableHTTP {

    domain1.com backend1:80

    domain2.org backend2:80

}

share|improve this answer

answered Dec 6 '15 at 14:20

mickmick

57056

answered Dec 6 '15 at 14:20

mickmick

57056

answered Dec 6 '15 at 14:20

mickmick

57056

1

This is certainly possible, even now in 2019 with the upcoming TLS 1.3! Many web servers or specialized reverse proxies provide this functionality out of the box:

• Nginx ≥ 1.11.5 (Debian ≥ buster or stretch-backports)


• HAProxy ≥ 1.5 (Debian ≥ jessie)


• Sniproxy (Debian ≥ buster)


• etc.

This is an example configuration for Nginx, which is a very popular choice for setups that require a reverse proxy:

stream {

  map $ssl_preread_server_name $selected_upstream {

    example.org upstream_1;

    example.net upstream_2;

    example.com upstream_3;

    default upstream_4;

  }

  upstream upstream_1 { server 10.0.0.1:443; }

  upstream upstream_2 { server 10.0.0.2:443; }

  upstream upstream_3 { server 10.0.0.3:443; }

  upstream upstream_4 { server 10.0.0.4:443; }

  server {

    listen 10.0.0.5:443;

    proxy_pass $selected_upstream;

    ssl_preread on;

  }

}

The relevant Nginx modules are stream_core and stream_ssl_preread. Manuals:

• https://nginx.org/en/docs/stream/ngx_stream_core_module.html


• https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

share|improve this answer

edited 2 mins ago

answered Feb 5 at 22:58

vogvog

35029

add a comment | 

1

This is certainly possible, even now in 2019 with the upcoming TLS 1.3! Many web servers or specialized reverse proxies provide this functionality out of the box:

• Nginx ≥ 1.11.5 (Debian ≥ buster or stretch-backports)


• HAProxy ≥ 1.5 (Debian ≥ jessie)


• Sniproxy (Debian ≥ buster)


• etc.

This is an example configuration for Nginx, which is a very popular choice for setups that require a reverse proxy:

stream {

  map $ssl_preread_server_name $selected_upstream {

    example.org upstream_1;

    example.net upstream_2;

    example.com upstream_3;

    default upstream_4;

  }

  upstream upstream_1 { server 10.0.0.1:443; }

  upstream upstream_2 { server 10.0.0.2:443; }

  upstream upstream_3 { server 10.0.0.3:443; }

  upstream upstream_4 { server 10.0.0.4:443; }

  server {

    listen 10.0.0.5:443;

    proxy_pass $selected_upstream;

    ssl_preread on;

  }

}

The relevant Nginx modules are stream_core and stream_ssl_preread. Manuals:

• https://nginx.org/en/docs/stream/ngx_stream_core_module.html


• https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

share|improve this answer

edited 2 mins ago

answered Feb 5 at 22:58

vogvog

35029

add a comment | 

This is certainly possible, even now in 2019 with the upcoming TLS 1.3! Many web servers or specialized reverse proxies provide this functionality out of the box:

• Nginx ≥ 1.11.5 (Debian ≥ buster or stretch-backports)


• HAProxy ≥ 1.5 (Debian ≥ jessie)


• Sniproxy (Debian ≥ buster)


• etc.

This is an example configuration for Nginx, which is a very popular choice for setups that require a reverse proxy:

stream {

  map $ssl_preread_server_name $selected_upstream {

    example.org upstream_1;

    example.net upstream_2;

    example.com upstream_3;

    default upstream_4;

  }

  upstream upstream_1 { server 10.0.0.1:443; }

  upstream upstream_2 { server 10.0.0.2:443; }

  upstream upstream_3 { server 10.0.0.3:443; }

  upstream upstream_4 { server 10.0.0.4:443; }

  server {

    listen 10.0.0.5:443;

    proxy_pass $selected_upstream;

    ssl_preread on;

  }

}

The relevant Nginx modules are stream_core and stream_ssl_preread. Manuals:

• https://nginx.org/en/docs/stream/ngx_stream_core_module.html


• https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

share|improve this answer

edited 2 mins ago

answered Feb 5 at 22:58

vogvog

35029

stream {

  map $ssl_preread_server_name $selected_upstream {

    example.org upstream_1;

    example.net upstream_2;

    example.com upstream_3;

    default upstream_4;

  }

  upstream upstream_1 { server 10.0.0.1:443; }

  upstream upstream_2 { server 10.0.0.2:443; }

  upstream upstream_3 { server 10.0.0.3:443; }

  upstream upstream_4 { server 10.0.0.4:443; }

  server {

    listen 10.0.0.5:443;

    proxy_pass $selected_upstream;

    ssl_preread on;

  }

}

share|improve this answer

edited 2 mins ago

answered Feb 5 at 22:58

vogvog

35029

answered Feb 5 at 22:58

vogvog

35029

answered Feb 5 at 22:58

vogvog

35029