💾 Archived View for bbs.geminispace.org › u › jmjl › 6040 captured on 2024-08-25 at 07:17:13. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-08-18)

🚧 View Differences

-=-=-=-=-=-=-

Proxy Protocol Idea

As you might have noticed, gemini has TLS, but it also has proxy support. Which means you can't really reverse proxy services like Bubble or Astrobotany, because they require a TLS Client Certificate. So I thought about making some kind of additional protocol that would be usefull for gemini proxy servers.

This would be usefull on tildes where they would for example want to run their own bubble or astrobotany and also have their normal website, but all being hosted by the same program.

I know in theory it's possible to split connections based on the SNI, but then you have to do weird things with iptables and all that to make the other program think the connection's coming from the user's IP.

So I propose we create some kind of new feature which would allow you to just, proxy the connections. By initiating a gemini connection using protocol proxy, having the FQDN be the user's IP and port of the original request, then, a `?` and a URI parameter like `certhash=$HASH`, and I guess the certificate could also be injected into the request.

Then, the connection that the proxy made would be encrypted using a client certificate which is trusted by the proxied server, and created by the proxy.

The next line would start like if the connection was created from the data alredy sent above, and the proxy would be deauthenticated, so the user can't try to sneak anything from now on.

I am probably missing things like SNI headers that should also be sent and other things so I'd like to get some recomendations about this idea.

(Of course, you'd be able to make a titan connection, or use some other protocol that uses the same c2s connection spec that gemini uses)

🍭 jmjl

2023-10-08 · 11 months ago · 👍 mediocregopher, alexlehm_mobile

5 Comments ↓

👻 mediocregopher [...] · 2023-10-10 at 07:59:

— I started a discussion on this some time ago

^ There's some links in there describing how it can be done without changes to the protocol or messing around with iptables. It just requires reading the SNI and then transparently passing through the whole connection based on that.

🚀 alexlehm_mobile · 2023-10-10 at 09:28:

a proxy protocol which supports path rules would be cool maybe

🍭 jmjl [OP] · 2023-10-10 at 14:19:

@mediocregopher Domani still doesn't support transparent proxying I think, it isn't using the CAP_NET_RAW capability to do transparent proxing, an example can be found with sslh, linked below. (How to configure, not the code that does the transparent proxying)

— SSLH Transparent proxy config guide.

👻 mediocregopher [...] · 2023-10-10 at 16:25:

@jmjl perhaps I'm misusing the term transparent proxying. I don't really care about the original IP of the connection, especially with gemini I don't see what utility it would have. But yeah if you do care about that I suppose iptables will need to get involved.

🍭 jmjl [OP] · 2023-10-10 at 17:35:

At the end some users in IRC pointed me out to sslh, you need to do some prior configurations, but it seems to work fine, (for what I've tested, I've currently got a borked gemini server (tilde.green) but yeah)