-
-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: new global setting options to enable SNI-forward to external domains #1697
base: dev
Are you sure you want to change the base?
Conversation
… domains to cover cases where YunoHost is hosted behind a VPN or to host several servers behind the same IP
…0.1 instead of 0.0.0.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As Aleks ping me on the chat, i find some times to make a review.
Feel free to decide to ignore some of my comments...
proxy_set_header X-Forwarded-Uri $request_uri; | ||
proxy_set_header X-Forwarded-Ssl on; | ||
proxy_set_header X-Forwarded-For $remote_addr; | ||
proxy_set_header X-Real-IP $remote_addr; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is HTTP and HTTPS behaviour the same for logs in the final server (the one with the service) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could be important to know it, cause fail2ban could ban the reverse proxy server...
…main to prevent possible conflicts in specific cases
…main to prevent possible conflicts in specific cases
…ni forwarder needs to use 443 and this would otherwise conflict
(The remaining blocker is to properly configure the IP header thingy) |
IP header thingy, wat dat iz?? |
cf #1697 (comment) and the X-Real-IP header Basically if you enable SNI-forward, all traffic on the "server B" appears as coming from "server A"'s IP ... which means fail2ban, if triggered, will ban server A entirely. Nginx has some option somewhere to assume that the real IP is not the IP from the raw packets, but a specific HTTP header, typically But since this is something to be configured on "server B" and not "server A", we probably need a new global setting such as "This server is behind an SNI reverse proxy" which adds the proper nginx tweak |
The problem
For various scenarios, it would be nice to be able to have SNI-based forwarding of HTTPS traffic (ie without decrypting the traffic) to another machine. For example:
Solution
Introduce a new setting to "enable SNI based forwarding" + configure a mapping of domain:IPv4
The whole thing tweaks nginx's configuration and use nginx's ssl_preread stuff : https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
PR Status
Somewhat tested but should be propreply re-tested
Also we should :
How to test
...