Skip to Content [alt-c]
In reply to How I'm Using SNI Proxying and IPv6 to Share Port 443 Between Webapps
A lot of the approaches you have taken with snid are the same as I took when I implemented http://v4-frontend.netiter.com/
I operate mine as a public service such that sites using it don't need to bring their own IPv4 address. But then they are of course depending on my host. So which of the two approaches is suitable likely depend on the individual site's needs.
I too recognized the need to prevent the need to protect against the frontend as being used as an open proxy. I took a different approach to address that. I verify that the domain has an A record pointing to my frontend. Your approach is probably better for a service only intended to be used for IPv6 sites within a specific network. Mine being intended as a public service needed a different approach.
I use the iptables TPROXY target to let my frontend listen on most port numbers simultaneously. I support both http and https on each port number by attempting parsing the host name with either protocol to see which one works.
I also support SMTP, but that is so different that I wrote a separate daemon entirely for SMTP. Sadly a lot of mail senders do not yet support SNI, so I am forced to intercept communication from those senders to find the correct target host.
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.