Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS ALPN support #98

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add TLS ALPN support #98

wants to merge 4 commits into from

Conversation

dlundquist
Copy link
Owner

Add support for switching backends by TLS ALPN (Application Layer Protocol Negotiation) extension. This is based on #66, but avoids adding additional dependencies to the TLS module and only supports a single method of backend selection: SNI or ALPN. More complex configurations could be achieved by proxying back to sniproxy on over a local UNIX socket to another listener configured for the other protocol.

The configuration syntax is also changed compared to #66:

listener 443 {
  protocol tls alpn
  table alpn_protocols
}

table alpn_protocols {
  http/1.1    192.0.2.31
  http/2.0    192.0.2.32
  spdy/3      192.0.2.33
}

Linker dependencies for master branch:
sniproxy-master

And for ALPN branch:
sniproxy-alpn

@nmav I would appreciate your review of this pull request since it is based on your earlier work.

@nmav
Copy link

nmav commented May 26, 2014

Hello Dustin, the fact that it only supports a single method of backend selection makes it quite impractical. In effect for my use-case (distinguish traffic for ocserv vpn), it makes it an unsuitable solution as I need alpn or sni. As ALPN is not deployed yet, most use cases will be using sni or alpn initially as well. Proxying through another sniproxy is too much overhead to be considered as a solution.

@dlundquist
Add protocol specific data
35a8aea
@dlundquist
Rework Nikos Mavrogiannopoulos's ALPN support
377276f 
Use protocol data functionality to hold configure ALPN protocols. Since
the complexity increased and there wasn't a clear use case, support only
a single TLS extension at a time per listener: TLS or ALPN. Complex
configurations involving both ALPN and SNI can be accomplished by using
configuring SNIProxy to proxy to another of its own listeners over a
UNIX socket to examine the other TLS extension. Use an additional
protocol argument toggle between SNI and ALPN TLS extensions.
@dlundquist
Remove ALPN from TODO
9e595f0
@dlundquist
Correct comments in example configuration
4aaf2ba
@nmav
Copy link

nmav commented Nov 4, 2014

Hello Dustin, is there any update on that? Do you plan to allow selecting between ALPN or SNI on a server?

@nogweii
Copy link

nogweii commented Sep 26, 2017

Any chance you can update this PR and merge it? And possibly add an example configuration of proxying ALPN back to sniproxy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dlundquist @nmav @nogweii