sni_proxy
This server is a lightweight TCP forward proxy that routes requests by looking
at TLS SNI or the HTTP Host header.
The following common keys are supported:
-
The user group must use fact-based authentication. It is used only when either
auth_by_client_iporauth_by_server_nameis enabled.Added in version 1.13.0.
listen
optional, type: tcp listen
Listening configuration for this server.
The instance count setting will be ignored if listen_in_worker is correctly enabled.
default: not set
Added in version 1.7.20: change listen config to be optional
listen_transparent
optional, type: bool
Set to true to enable transparent mode on the listening socket.
This flag is only available on Linux. When enabled, the listener socket is placed into transparent mode before accept.
default: false
Added in version 1.13.0.
auth_by_client_ip
optional, type: bool, conflict: auth_by_server_name
Enables fact-based user authentication using the client IP address as the authentication fact.
If enabled, user_group must also be set.
default: false
Added in version 1.13.0.
auth_by_server_name
optional, type: bool, conflict: auth_by_client_ip
Enables fact-based user authentication using the server name as the authentication fact.
If enabled, user_group must also be set.
default: false
Added in version 1.13.0.
tls_max_client_hello_size
optional, type: u32
Maximum size of the TLS ClientHello message.
default: 1 << 16
Added in version 1.9.9.
request_wait_timeout
optional, type: humanize duration
Timeout while waiting for the initial client data.
default: 60s
request_recv_timeout
optional, type: humanize duration
Timeout for receiving the complete initial request after the first bytes arrive. The initial request may be either a TLS ClientHello message or an HTTP request.
default: 4s
protocol_inspection
optional, type: protocol inspection
Basic protocol-inspection configuration.
default: set with default value
server_tcp_portmap
optional, type: server tcp portmap
Port mapping used for protocol inspection based on the server-side TCP port.
default: set with default value
client_tcp_portmap
optional, type: client tcp portmap
Port mapping used for protocol inspection based on the client-side TCP port.
default: set with default value
allowed_hosts
optional, type: host matched object <host>
Host-matching rules that define which hosts this server should handle.
If not set, all requests will be handled.
alias: allowed_sites
Example:
hosts:
- exact_match:
- www.example.net
- example.net
redirect_host: www.example.net:443 # all redirect to www.example.net:*
- suffix_match: example.org # pass all *.example.org:*
- exact_match: legacy.example.com
redirect_port: 8443 # keep the original host, override only the port
default: not set
Host
Configuration for a matched SNI host.
redirect_host
optional, type: host
Overrides the host part of the upstream address.
If redirect_port is not set, the original destination port is kept.
default: not set
redirect_port
optional, type: u16
Overrides the port part of the upstream address.
If redirect_host is not set, the original destination host is kept.
default: not set