TLS SNI proxy
Closed this issue · 5 comments
I'm currently using Traefik with the HostSNI TCP router for TLS connections to split them between different hosts, depending on condition.
It seems this could also be a useful feature for realm in secure environments.
Would the servername= property in a listen_transport directive accept lists of SNI hostnames and RegExp or globbing wildcards?
So this
Line 9 in 882c2e3
could also read:
listen_transport = "tls;servername=*.pages.example.com,pages.example.com"
or
listen_transport = "tls;servername=*"
This specific Traefik TCP TLS SNI router configuration here is in use with a GitLab Pages daemon and another Traefik daemon set up with a DNS-01 challenge to generate the wildcard subdomain certificate. The generic wildcard route is served by the GitLab Pages daemon, which will issue its own certificates for domains connected to it.
Following the link in the readme, this appears to be an upstream issue for zephyrchien/kaminari.
Actually the servername= field of listen_transport is used as a hint for generating self-signed certificates, not for dispatching backends.
Realm with the balance module does allow multiple backends being bound to a single frontend. However the way to pick a backend is limited, currently just load-balancer and hook. load-balancer switches between backends automatically based on the strategy. hooks requires users to write dynamic libraries.
On the other hand, sni could be sniffed from the first several bytes at the TCP level(sni is one of the TLS extensions).
I'm planning to refactor the whole project, providing a more flexible way to organize frontends/backends.