8000 feat: add TARGET_SNI to allow overriding the TLS handshake hostname when forwarding requests by jprenken · Pull Request #529 · TecharoHQ/anubis · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: add TARGET_SNI to allow overriding the TLS handshake hostname when forwarding requests #529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 23, 2025
Merged

feat: add TARGET_SNI to allow overriding the TLS handshake hostname when forwarding requests #529

merged 2 commits into from
May 23, 2025
+14 −6

Conversation

jprenken
Copy link
Contributor

When running Anubis in front of a site that's served from a different host, it's nice to be able to specify HTTPS for the TARGET and stay end-to-end encrypted.

If that backend server is shared hosting, then the site's own hostname may be the only one that's correct to specify in the TLS handshake (SNI) - but it will be different than the hostname Anubis needs to resolve and connect to.

For example, let's say the site is site1.example.com and its backend server is backend.example.com. DNS for site1 points at Anubis, not the backend server. https://backend.example.com is the appropriate TARGET, but it hosts tons of other sites. If Anubis' handshake and Host header ask for backend.example.com it'll serve its default site (wrong), and if Anubis' handshake and Host header mismatch it'll probably serve a 421 Misdirected Request.

You could work around this by naming the site site1-backend.example.com on the backend server and adding that to DNS, but there are configurations where this isn't easy or elegant to do.

So, adding TARGET_SNI allows Anubis to handle this. This is very similar to #507, but I can imagine scenarios where you might want one without the other.

I chose to write nested if statements so that we customize TLSClientConfig only when needed.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)

@Xe
chore: spelling
fb0b802 
Signed-off-by: Xe Iaso <me@xeiaso.net>
@Xe Xe enabled auto-merge (squash) May 23, 2025 16:23
@Xe Xe merged commit 6f08bcb into TecharoHQ:main May 23, 2025
5 checks passed
@jprenken jprenken deleted the target-sni branch May 23, 2025 18:18
@BrewTestBot BrewTestBot mentioned this pull request Jun 1, 2025
Merged
JasonLovesDoggo pushed a commit to JasonLovesDoggo/anubis that referenced this pull request Jun 17, 2025
@jprenken @Xe
feat: add TARGET_SNI to allow overriding the TLS handshake hostname w…
4621dee 
…hen forwarding requests (TecharoHQ#529)

* feat: add TARGET_SNI to allow overriding the TLS handshake hostname when forwarding requests

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

52B1 @Xe Xe Xe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jprenken @Xe
0