Commit accc463f authored by Dustin Lundquist's avatar Dustin Lundquist

Updating docs

parent b37e49f0
+-----------+
+---------------+
|Config: |
| config_file |
| username |
+---------------+
| \----------\
v |
+-----------+ v
|Listener: |+ +-------+ +------------+
| socket || |Table: |+ |Backend: |+
| protocol ||--has one-->| name ||--has many->| hostname* ||+
+-----------+| +-------+| | address |||
+-----------+ +-------+ | port |||
^ +------------+||
| +------------+|
| +------------+
| ^
| +-------------+ |
| |Connection: |+ |
| | state ||+ |
| +-------------+ +------------+|
| |Connection: |+ +------------+
| | state ||+ ^
\-referneces--| listener ||| |
| client ||| |
| socket ||| |
......@@ -30,10 +33,12 @@ and protocol and socket. When an incomming connection is accepted on the
socket, a new connection object is created. The first packet is inspect
and the hostname is extracted from the TLS Client Hello or HTTP Request
(depending on protocol selected). The listen's table is consulted for backend
maching the hostname requested, this match may be simple maching strings or
regular expressions. A second connection is established to the address and
port specified by the backend, and the initial packet is forwarded to over
maching the requested hostnamer, this match may be simple maching strings or
regular expressions. A second server connection is established to the address
and port specified by the backend, and the initial packet is forwarded to over
this second socket. Form this point on, when a packet is received from either
the client or server, its contents is buffered and sent through the other
socket.
socket. When either the client or server closes the socket, the buffer to
the other socket is sent and the connection is closed. After both sockets
have been closed the connection is removed.
HTTPS SNI Proxy
===============
Proxies TLS and HTTP requests to backend servers based on SNI
(server name indication) TLS extension.
Features
--------
+ Namebased proxying of HTTPS without decrypting traffic. No keys or certificates required.
+ Also supports HTTP
+ Support IPv4, IPv6 and Unix domain sockets for both backend servers and listeners
+ Multiple listeners per daemon
Usage
-----
Usage: sni_proxy [-c <config>] [-f]
-c configruation file, defaults to /etc/sni_proxy.conf
-f run in foreground, do not drop privileges
Configuration Syntax
--------------------
user daemon
listener 127.0.0.1 443 {
protocol tls
table "TableName"
}
table "TableName" {
# Match exact request hostnames
example.com 192.0.2.10 4343
example.net 2001:DB8::1:10 443
# Or use PCRE to match
.*\\.com 2001:DB8::1:11 443
# Combining PCRE and wildchard will resolve the hostname client requested and proxy to it
.*\\.edu * 443
}
* Reimplement configuration reloading
* Non-blocking DNS resolution
* Improved table backend lookup, currently this is a linear lookup
* Move from select() to libevent to support more than FD_SETSIZE / 2 connections
* HTTP interface for backend servers to determine remote IP and port of connection
* Out of band TCP data proxying -- I haven't seen a case where the lack of this has caused any issues yet.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment