TLS SNI Proxy

From OverthereWiki
Jump to: navigation, search

RFC4366 defines the server name indication extension for TLS. Using this we can construct a TCP proxy that detects server name in the client handshake and proxies to the appropriate HTTPS server. This has the advantage over Nginx or Apache HTTPS SNI virtual hosting that the proxy does not need to the servers private key. This could be useful as we exhaust IPv4 addresses and HTTPS virtual hosting becomes necessary: a proxy could listen on an IPv4 address and proxy to HTTPS servers on separate IPv6 addresses.

I've written an implementation: https://github.com/dlundquist/sniproxy

Debian packages I've built can be found http://gateway01.nssix.com/packages/, and Ubuntu packages can be found https://launchpad.net/~dlundquist/+archive/ubuntu/sniproxy