Ping a Specific Port

Question

András Korn

Asked: 2019-05-29 12:13:03 +0800 CST2019-05-29 12:13:03 +0800 CST 2019-05-29 12:13:03 +0800 CST

Generic SNI-based transparent TLS proxy without having to enumerate all backends?

772

I'm in a situation where I have to provide a transparent reverse proxy in front of a set of thousands of backend https webservers, with the list changing (relatively) frequently.

I know I can tell haproxy to select a backend to connect to based on the SNI string the client sends along with the Client Hello (see e.g. Can a Reverse Proxy use SNI with SSL pass through?), but it seems I would need to enumerate all backends and refer to them individually in the configuration; i.e. "if SNI is so-and-so, talk to backend this-and-that".

I'd instead like to just take the SNI string from the Client Hello, look it up in DNS, connect to the IP DNS provides (on tcp port 443), relay the client hello to the server, and then keep relaying between the client and the server.

I don't want to inspect the traffic and don't want to install a new certificate on the clients.

Can haproxy do this? If not, what other program can?

2 Answers

Voted

András Korn · Answer 1 · 2019-05-29T12:13:03+08:00

Best Answer

András Korn

2019-05-29T12:13:03+08:002019-05-29T12:13:03+08:00

I ended up using nginx with the stream SSL preread module.

The configuration is dead simple:

stream {
    server {
        resolver 127.0.0.1;
        listen 443;
        ssl_preread on;
        proxy_pass $ssl_preread_server_name:443;
    }
}

No http { } block would even be needed, but nginx segfaulted for me if I omitted it, so I have an empty http { } block in the config. Only the stream module is loaded. The resolver is needed for nginx to be able to look up the backend names in DNS; I have a caching recursive resolver on 127.0.0.1.

I make it so all clients that need to connect to any of the backends connect to my nginx instead (using a combination of split horizon DNS and DNAT), and nginx connects to the actual backends on their behalf. It's completely transparent to the clients.

4

NickRamirez · Answer 2 · 2019-06-14T21:34:54+08:00

NickRamirez

2019-06-14T21:34:54+08:002019-06-14T21:34:54+08:00

You can set variables in HAProxy with http-request set-var to the SNI value and reference it with var.

https://www.haproxy.com/documentation/hapee/1-9r1/onepage/#7.3.2-var

1

Generic SNI-based transparent TLS proxy without having to enumerate all backends?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?