0

There are various articles and questions explaining how to use a given reverse proxy's (e.g. nginx) implementation of this [1] [2] [3] [4], but none explain how this actually works under the hood.

By "TLS Passthrough based on SNI", I am referring to a proxy that does not perform TLS termination at the proxy, but forwards the unencrypted TLS packets directly to the upstream server, based on the SNI in the TLS clientHello packet.

Could someone explain how this works in detail?

  • For example, I assume a TCP handshake between the client and proxy is performed first, and from the TLS clientHello onwards, the correct upstream server is selected, and the proxy thus acts as a L4 reverse proxy; but does the proxy establish a separate TCP handshake between itself and the server before forwarding the clientHello? What goes on after that?
  • Also, what happens when multiple domains share the same IP, how does the proxy distinguish between flows to each of these domains, given that the SNI only appears in the clientHello?
Starfish
  • 11
  • 2

1 Answers1

0

SNI is short for server name indication. It puts the hostname that you requested in the unencrypted TLS clientHello handshake.

Having a proxy server that does TLS passthrough isn't much different than having 20 domains in apache each with their own SSL certificate. The proxy has a list of hostname and their corresponding backend servers. It reads the hostname from the SNI information and then forwards everything on to the appropriate server.

For the proxy server there's not much special about tracking each of the flows - that's what proxy servers do. It keeps track of every incoming connection and it's corresponding connection to the backend servers. Once it's made that connection it doesn't need to know anything about what hostname was used, it just keeps forwarding information back and forth on the same path.

Grant
  • 17,671
  • 14
  • 69
  • 101