使用nginx和SNI进行SSL端口统一
[英]SSL port unification with nginx and SNI
问题描述
I have a number of separate SSL servers on my internal network which I want to expose to the public Internet on a single IP address and port. 
我的内部网络上有许多单独的SSL服务器,我希望在单个IP地址和端口上公开Internet。 All my clients are guaranteed to support the server_name TLS extension (akaServer Name Indication or SNI). 我保证所有客户端都支持server_name TLS扩展(akaServer Name Indication或SNI)。
What I imagine is, that nginx will look at the TLS client hello message of an incoming connection and figure out which internal IP to forward the connection to. 我想象的是,nginx会查看传入连接的TLS客户端问候消息,并确定将连接转发到哪个内部IP。 Then nginx acts as a TCP tunnel, ie nginx itself is not participating in any TLS sessions (even though it peeks into incoming TLS client hello messages!), and needs no SSL cert or private key of its own. 然后nginx充当TCP隧道,即nginx本身不参与任何TLS会话(即使它查看传入的TLS客户端问候消息!),并且不需要自己的SSL证书或私钥。
In other words, the TLS session is initiated on the client, passes-thru nginx (which multiplexes the destinations using the server_name information in TLS client hello) and terminates in the destination server. 换句话说,TLS会话在客户端上启动,pass-thru nginx(使用TLS客户端hello中的server_name信息多路复用目标)并终止于目标服务器。
Can this be done with nginx and how? 这可以用nginx来完成吗? If not, are you aware of some other proxy software that can do this? 如果没有,您是否知道其他一些可以执行此操作的代理软件?
Best Regards, 最好的祝福,
rkpr rkpr
1 个解决方案
解决方案1
3 2014-07-29 16:01:56
It seems haproxy can do exactly that like this: 似乎haproxy可以像这样做:
use-server srv1 if { req_ssl_sni -i hostname1 }
server srv1 192.168.0.1:443 weight 0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.