Skip to content

Latest commit

 

History

History
61 lines (44 loc) · 3.1 KB

Readme.md

File metadata and controls

61 lines (44 loc) · 3.1 KB

Reverse proxy for SNI routing.

Why?

In an ideal world anyone would be able to host their software. Unfortunately, with IPv4 address exhaustion and limited adoption of IPv6 infrastructure this is not a reality we live in.

One way to address the issue would be to host software in public cloud. This, however, means paying for the infrastructure, and, exposing encryption keys (assuming there is TLS involved) to the public cloud.

If you would like to keep your keys to yourself and minimize the infrastructure bills, another way to address the issue would be to deploy TCP load balancer in public cloud and use SNI to chose downstream service.

How?

Mermaid code under spoiler
sequenceDiagram
participant C as Client
participant P as SNI Proxy
participant D as DNS Server
participant S as downstream.service.com

note over D, S: Downstream service is <br/> reachable via IPv6 (native or mesh)
C->>P: TLS(GET downstream.service.com)
P->>P: Read SNI
P->>D: AAAA record for downstream.service.com
D->>P: [2001:dead::beef]
P->>S: This is for you
S->>P: Encrypted response
P->>C: Forward bytes to Client
Loading

Installation

Nix

Package comes with nix flake and support for cross-platform docker images:

  • Get nix
  • nix run . to compile and run
  • nix build . to build an artifact for the current system
  • nix build .#image to build docker image for current system. Import image into docker with docker load < result
  • nix build .#aarch64-image to build docker image for aarch64 architecture
  • nix build .#x86_64-image to build docker image for x86_64 architecture

Build from source

  • Get rust
  • Build with cargo build --release -p ormos.
  • Take a look at sample_config.yml, punch in values relevant for your use-case

More docs

  • Run cargo doc --open