💾 Archived View for gemi.dev › gemini-mailing-list › 000913.gmi captured on 2023-11-04 at 13:11:51. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Greetings, Has anyone gotten a reverse proxy server working with gemini? Specifically, I'm looking for something that can listen on port 1965 and route encrypted traffic to other ports based on the TLS SNI. I don't want to do TLS termination at the proxy-layer because I need to support client certificates on the destination servers. >From my research, it looks like Nginx and HAProxy both claim to support TLS routing like this, but I can't for the life of me figure out how to configure either of them :/ Best, Michael
I am using HAProxy.? Here's my config for some inspiration: https://gist.github.com/panda-roux-dev/9142cf01ad3b29aa86120c7cd90d5b95 It was a headache to set up because I'd never used it before and 99% of the search results online are concerning its HTTP usage, but eventually figured out something that works in TCP-mode. Note that I'm using TLS passthrough rather than having HAProxy take care of encryption.? This is in order to let each back-end server use certificates with its corresponding domain name listed in them. Good luck. panda-roux On 5/25/2021 1:05 PM, Michael Lazar wrote: > Greetings, > > Has anyone gotten a reverse proxy server working with gemini? > Specifically, I'm looking for something that can listen on port 1965 > and route encrypted traffic to other ports based on the TLS SNI. I > don't want to do TLS termination at the proxy-layer because I need to > support client certificates on the destination servers. > > From my research, it looks like Nginx and HAProxy both claim to > support TLS routing like this, but I can't for the life of me figure > out how to configure either of them :/ > > Best, > Michael
I just re-read your message and saw you're wanting SNI-based routing.? Bear in mind that the configuration file I sent deals only with domain-name based filtering based on sub-string comparisons.? I haven't tried anything else yet. Please let us know if you do get that working though! panda-roux On 5/25/2021 1:30 PM, panda-roux wrote: > I am using HAProxy.? Here's my config for some inspiration: > https://gist.github.com/panda-roux-dev/9142cf01ad3b29aa86120c7cd90d5b95 > > It was a headache to set up because I'd never used it before and 99% > of the search results online are concerning its HTTP usage, but > eventually figured out something that works in TCP-mode. > > Note that I'm using TLS passthrough rather than having HAProxy take > care of encryption.? This is in order to let each back-end server use > certificates with its corresponding domain name listed in them. > > Good luck. > > panda-roux > > On 5/25/2021 1:05 PM, Michael Lazar wrote: >> Greetings, >> >> Has anyone gotten a reverse proxy server working with gemini? >> Specifically, I'm looking for something that can listen on port 1965 >> and route encrypted traffic to other ports based on the TLS SNI. I >> don't want to do TLS termination at the proxy-layer because I need to >> support client certificates on the destination servers. >> >> ?From my research, it looks like Nginx and HAProxy both claim to >> support TLS routing like this, but I can't for the life of me figure >> out how to configure either of them :/ >> >> Best, >> Michael
With nginx it's quite simple, just ensure that your nginx is compiled with stream_ssl_preread_module: stream { map $ssl_preread_server_name $upstream { "app1.example.com" 127.0.0.1:5000; "app2.example.com" 127.0.0.1:5001; } server { listen 1965; proxy_pass $upstream; ssl_preread on; } } On Tue, May 25, 2021 at 10:34 PM panda-roux <contact at panda-roux.dev> wrote: > > I just re-read your message and saw you're wanting SNI-based routing. > Bear in mind that the configuration file I sent deals only with > domain-name based filtering based on sub-string comparisons. I haven't > tried anything else yet. > > Please let us know if you do get that working though! > > panda-roux > > On 5/25/2021 1:30 PM, panda-roux wrote: > > I am using HAProxy. Here's my config for some inspiration: > > https://gist.github.com/panda-roux-dev/9142cf01ad3b29aa86120c7cd90d5b95 > > > > It was a headache to set up because I'd never used it before and 99% > > of the search results online are concerning its HTTP usage, but > > eventually figured out something that works in TCP-mode. > > > > Note that I'm using TLS passthrough rather than having HAProxy take > > care of encryption. This is in order to let each back-end server use > > certificates with its corresponding domain name listed in them. > > > > Good luck. > > > > panda-roux > > > > On 5/25/2021 1:05 PM, Michael Lazar wrote: > >> Greetings, > >> > >> Has anyone gotten a reverse proxy server working with gemini? > >> Specifically, I'm looking for something that can listen on port 1965 > >> and route encrypted traffic to other ports based on the TLS SNI. I > >> don't want to do TLS termination at the proxy-layer because I need to > >> support client certificates on the destination servers. > >> > >> From my research, it looks like Nginx and HAProxy both claim to > >> support TLS routing like this, but I can't for the life of me figure > >> out how to configure either of them :/ > >> > >> Best, > >> Michael
Have you tried Traefik? It supports SNI-based routing. Michael Lazar kirjoitti 25.5.2021 klo 23.05: > Greetings, > > Has anyone gotten a reverse proxy server working with gemini? > Specifically, I'm looking for something that can listen on port 1965 > and route encrypted traffic to other ports based on the TLS SNI. I > don't want to do TLS termination at the proxy-layer because I need to > support client certificates on the destination servers. > > From my research, it looks like Nginx and HAProxy both claim to > support TLS routing like this, but I can't for the life of me figure > out how to configure either of them :/ > > Best, > Michael > -- Best regards, Nikolay
My gemini server at https://github.com/Xe/rhea does reverse proxying. Works with Unix sockets too. It does everything I need. On Tue May 25, 2021 at 8:05 PM UTC, Michael Lazar wrote: > Greetings, > > Has anyone gotten a reverse proxy server working with gemini? > Specifically, I'm looking for something that can listen on port 1965 > and route encrypted traffic to other ports based on the TLS SNI. I > don't want to do TLS termination at the proxy-layer because I need to > support client certificates on the destination servers. > > From my research, it looks like Nginx and HAProxy both claim to > support TLS routing like this, but I can't for the life of me figure > out how to configure either of them :/ > > Best, > Michael Christine Dodrill https://christine.website .i la budza pu cusku lu <<.i ko snura .i ko kanro .i ko panpi .i ko gleki
Michael Lazar <lazar.michael22 at gmail.com> writes: > Greetings, > > Has anyone gotten a reverse proxy server working with gemini? > Specifically, I'm looking for something that can listen on port 1965 > and route encrypted traffic to other ports based on the TLS SNI. I > don't want to do TLS termination at the proxy-layer because I need to > support client certificates on the destination servers. > > From my research, it looks like Nginx and HAProxy both claim to > support TLS routing like this, but I can't for the life of me figure > out how to configure either of them :/ > > Best, > Michael Not exactly what you're asking for, but have you considered using FastCGI? It would allow your gemini server to do TLS and forward requests to various backends. Info about the client certificates can be sent as parameters. I think it could be a viable option for Gemini, and I started to experiment with it in gmid[0], but further work in needed in this regard. HTH, Omar Polo [0]: https://github.com/omar-polo/gmid/commit/8ff40039e885f6ba64c887f390daf7e7f3bc2ff8
Thanks for all the helpful suggestions everyone! I ended up going the nginx stream route because it looked the simplest and I'm already familiar with installing and using the software. Everything on gemini://*.mozz.us is now being routed through nginx and appears to be working great. - Michael
---
Previous Thread: Gemini Digest, Vol 22, Issue 25
Next Thread: [ANN] GemThread: an experimental conversation server