shadow-tls icon indicating copy to clipboard operation
shadow-tls copied to clipboard
verified publisher icon ihciah

[feature request] support Proxy protocol

Open IceCodeNew opened this issue 2 years ago • 0 comments

https://github.com/ihciah/shadow-tls/issues/77#issuecomment-1549887451

第二个方案仅对支持 Proxy Protocol 的特定后端生效。

(When using shadow-tls as an SNI proxy, forwarding normal requests to nginx, there are several ways to pass the real IP to the nginx,) one of them is to connect to the backend with the Proxy protocol But it introduces the problem that you can only connect to the backend implemented the Proxy protocol support, the choice would be limited.

There are projects like https://github.com/path-network/go-mmproxy meant to solve the problem. Speaking from experience, it works very well.

For me, apart from utilizing the IP_TRANSPARENT or the Proxy protocol, it seems there are no other ways to pass the real IP to the backend.

I would expect supporting Proxy protocol to be easier than utilizing the IP_TRANSPARENT, and it might also ease the requirements for users to enable passing the real IP to the backend.

Refer to:

  • https://github.com/ihciah/shadow-tls/wiki/Security-Tips#sni-proxy-issue
  • https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-client-ips-in-spectrum/

IceCodeNew avatar Sep 28 '23 08:09 IceCodeNew