Very lean dynamic ingress traffic router based on alpine linux and inbound rules based URI and Port rewriting. Works for tls-sni and http-hostname based tcp traffic.
Solving multiple requirements:
- Port overlapping on HTTP and HTTPS (eg. SNI on TLS or Hostname on HTTP)
- End to end encryption with TLS passthrough (This is the SNI part)
- Service name based routing
- Always up to date when further containers are spinned up or removed
Built for docker swarm mode ingress networking: Secure service discovery using fqdn forwarding with dns resolution based on embedded dns. Therefore there is no need to mount the docker socket and maintain labels on compose recipe. Just define your fully qualified service names per network as shown in the sample excerpts below. Lean and secure alternative to Traefik, Fabio, Gobetween, Dockerflow, etc.
This sniproxy-lib based project performs nearly good as haproxy. For more throughput and less CPU usage, zero-copy and tcp-splicing needs to be implemented in the underlying library. Golang also lacks support: golang/go#10948. (All golang based projects like Traefik etc. are also affected)
version: '3.2'
services:
sni-proxy:
build: .
environment:
- LISTENERS=http;8080 tls;8443
- RULES_HTTP=whoami.*;whoami:8000 .*;*:8080
- RULES_TLS=.*;*:8443
ports:
- "80:8080"
- "443:8443"
- "8080:8080"
- "8443:8443"
whoami-a:
image: jwilder/whoami:latest
networks:
default:
aliases:
- whoami-a.vcap.me
whoami-b:
image: jwilder/whoami:latest
networks:
default:
aliases:
- whoami-b.vcap.me
portainer:
image: portainer/portainer
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: --no-auth
networks:
default:
aliases:
- porainer.vcap.me
networks:
default:
driver: overlay