sni_proxy

This server is a lightweight TCP forward proxy that routes requests by looking at TLS SNI or the HTTP Host header.

The following common keys are supported:

listen

optional, type: tcp listen

Listening configuration for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

default: not set

Added in version 1.7.20: change listen config to be optional

listen_transparent

optional, type: bool

Set to true to enable transparent mode on the listening socket.

This flag is only available on Linux. When enabled, the listener socket is placed into transparent mode before accept.

default: false

Added in version 1.13.0.

auth_by_client_ip

optional, type: bool, conflict: auth_by_server_name

Enables fact-based user authentication using the client IP address as the authentication fact.

If enabled, user_group must also be set.

default: false

Added in version 1.13.0.

auth_by_server_name

optional, type: bool, conflict: auth_by_client_ip

Enables fact-based user authentication using the server name as the authentication fact.

If enabled, user_group must also be set.

default: false

Added in version 1.13.0.

tls_max_client_hello_size

optional, type: u32

Maximum size of the TLS ClientHello message.

default: 1 << 16

Added in version 1.9.9.

request_wait_timeout

optional, type: humanize duration

Timeout while waiting for the initial client data.

default: 60s

request_recv_timeout

optional, type: humanize duration

Timeout for receiving the complete initial request after the first bytes arrive. The initial request may be either a TLS ClientHello message or an HTTP request.

default: 4s

protocol_inspection

optional, type: protocol inspection

Basic protocol-inspection configuration.

default: set with default value

server_tcp_portmap

optional, type: server tcp portmap

Port mapping used for protocol inspection based on the server-side TCP port.

default: set with default value

client_tcp_portmap

optional, type: client tcp portmap

Port mapping used for protocol inspection based on the client-side TCP port.

default: set with default value

allowed_hosts

optional, type: host matched object <host>

Host-matching rules that define which hosts this server should handle.

If not set, all requests will be handled.

alias: allowed_sites

Example:

hosts:
  - exact_match:
      - www.example.net
      - example.net
    redirect_host: www.example.net:443 # all redirect to www.example.net:*
  - suffix_match: example.org # pass all *.example.org:*
  - exact_match: legacy.example.com
    redirect_port: 8443 # keep the original host, override only the port

default: not set

Host

Configuration for a matched SNI host.

redirect_host

optional, type: host

Overrides the host part of the upstream address.

If redirect_port is not set, the original destination port is kept.

default: not set

redirect_port

optional, type: u16

Overrides the port part of the upstream address.

If redirect_host is not set, the original destination host is kept.

default: not set