feature: new global setting options to enable SNI-forward to external domains #1697
Conversation
… domains to cover cases where YunoHost is hosted behind a VPN or to host several servers behind the same IP
…0.1 instead of 0.0.0.0
| proxy_set_header X-Forwarded-Uri $request_uri; | ||
| proxy_set_header X-Forwarded-Ssl on; | ||
| proxy_set_header X-Forwarded-For $remote_addr; | ||
| proxy_set_header X-Real-IP $remote_addr; |
There was a problem hiding this comment.
Is HTTP and HTTPS behaviour the same for logs in the final server (the one with the service) ?
There was a problem hiding this comment.
Could be important to know it, cause fail2ban could ban the reverse proxy server...
…main to prevent possible conflicts in specific cases
…main to prevent possible conflicts in specific cases
…ni forwarder needs to use 443 and this would otherwise conflict
|
(The remaining blocker is to properly configure the IP header thingy) |
|
IP header thingy, wat dat iz?? |
|
cf #1697 (comment) and the X-Real-IP header Basically if you enable SNI-forward, all traffic on the "server B" appears as coming from "server A"'s IP ... which means fail2ban, if triggered, will ban server A entirely. Nginx has some option somewhere to assume that the real IP is not the IP from the raw packets, but a specific HTTP header, typically But since this is something to be configured on "server B" and not "server A", we probably need a new global setting such as "This server is behind an SNI reverse proxy" which adds the proper nginx tweak |
The problem
For various scenarios, it would be nice to be able to have SNI-based forwarding of HTTPS traffic (ie without decrypting the traffic) to another machine. For example:
Solution
Introduce a new setting to "enable SNI based forwarding" + configure a mapping of domain:IPv4
The whole thing tweaks nginx's configuration and use nginx's ssl_preread stuff : https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
PR Status
Somewhat tested but should be propreply re-tested
Also we should :
How to test
...