sozu icon indicating copy to clipboard operation
sozu copied to clipboard
verified publisher icon sozu-proxy

Support proxying TLS without terminating it

Open KellerFuchs opened this issue 8 years ago • 4 comments

Would it be possible to add the possibility to forward a whole TLS stream, based on SNI, without terminating it? (Ideally, using splicing as in #63)

This is very helpful in cases where the certificate and signing key are not provisioned on the proxy.

I would be willing to contribute the code, assuming I can, as I could use this feature for hashbang.sh.

KellerFuchs avatar Apr 13 '17 18:04 KellerFuchs

this will probably be too hard to do with the current openssl based implementation, so we will need to wait on #145 to get a more flexible TLS implementation based on rustls. For the context, in openssl, you give a callback to find which certificate to send based on the SNI extension. From that callback, it would not be possible to do a passthrough to the backend, since openssl already manages the stream.

Geal avatar Apr 16 '17 08:04 Geal

@ctx Is matching SNI without terminating the whole TLS stream doable with rustls? That would be pretty neat :)

KellerFuchs avatar Apr 17 '17 22:04 KellerFuchs

it might be doable by reusing this nom TLS parser: https://github.com/rusticata/tls-parser Then the proxy would only read the beginning of the communication, route based on the named then just splice calls back and forth

Geal avatar Apr 30 '17 14:04 Geal

I started to work on it in the peek-sni branch, but it will have to wait until #588 is done

Geal avatar Jun 05 '19 14:06 Geal