sni_proxy

A tcp forward proxy server based on TLS SNI / HTTP Host.

The following common keys are supported:

• escaper

• auditor

• user_group

  The user group should be facts authenticate type. It will be used only if either auth_by_client_ip or auth_by_server_name is set.

  Added in version 1.13.0.

• shared_logger

• listen_in_worker

• tcp_sock_speed_limit

• ingress_network_filter

• tcp_copy_buffer_size

• tcp_copy_yield_size

• tcp_misc_opts

• task_idle_check_interval

• task_idle_max_count

• flush_task_log_on_created

• flush_task_log_on_connected

• task_log_flush_interval

• extra_metrics_tags

listen

optional, type: tcp listen

Set the listen config for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

default: not set

Added in version 1.7.20: change listen config to be optional

auth_by_client_ip

optional, type: bool, conflict: auth_by_server_ip

Enable facts user authenticate and use client IP as the authenticate fact.

default: false

Added in version 1.13.0.

auth_by_server_name

optional, type: bool, conflict: auth_by_client_ip

Enable facts user authenticate and use server name as the authenticate fact.

default: false

Added in version 1.13.0.

tls_max_client_hello_size

optional, type: u32

Set the max size limit for TLS client hello message.

default: 1 << 16

Added in version 1.9.9.

request_wait_timeout

optional, type: humanize duration

Set the timeout value for the wait of initial client data.

default: 60s

request_recv_timeout

optional, type: humanize duration

Set the timeout value for the receive of the complete initial request after the arriving of initial data, which may be a TLS ClientHello message or a HTTP Request.

default: 4s

protocol_inspection

optional, type: protocol inspection

Set basic config for protocol inspection.

default: set with default value

server_tcp_portmap

optional, type: server tcp portmap

Set the portmap for protocol inspection based on server side tcp port.

default: set with default value

client_tcp_portmap

optional, type: client tcp portmap

Set the portmap for protocol inspection based on client side tcp port.

default: set with default value

allowed_hosts

optional, type: host matched object <host>

Set the list of hosts we should handle based on host match rules.

If not set, all requests will be handled.

Example:

hosts:
  - exact_match:
      - www.example.net
      - example.net
    redirect_host: www.example.net:443 # all redirect to www.example.net:*
  - child_match: example.org # pass all *.example.org:*

default: not set

Host

This set the config for a SNI host.

redirect_host

optional, type: host

Change the host field of the upstream address.

default: not set

redirect_port

optional, type: u16

Change the port field of the upstream address.

default: not set