[tech] Gemini reverse proxy

1. Michael Lazar (lazar.michael22 (a) gmail.com)

Greetings,

Has anyone gotten a reverse proxy server working with gemini?
Specifically, I'm looking for something that can listen on port 1965
and route encrypted traffic to other ports based on the TLS SNI. I
don't want to do TLS termination at the proxy-layer because I need to
support client certificates on the destination servers.

>From my research, it looks like Nginx and HAProxy both claim to
support TLS routing like this, but I can't for the life of me figure
out how to configure either of them :/

Best,
Michael

Link to individual message.

2. panda-roux (contact (a) panda-roux.dev)

I am using HAProxy.Β  Here's my config for some inspiration: 
https://gist.github.com/panda-roux-dev/9142cf01ad3b29aa86120c7cd90d5b95

It was a headache to set up because I'd never used it before and 99% of 
the search results online are concerning its HTTP usage, but eventually 
figured out something that works in TCP-mode.

Note that I'm using TLS passthrough rather than having HAProxy take care 
of encryption.Β  This is in order to let each back-end server use 
certificates with its corresponding domain name listed in them.

Good luck.

panda-roux

On 5/25/2021 1:05 PM, Michael Lazar wrote:
> Greetings,
> 
> Has anyone gotten a reverse proxy server working with gemini?
> Specifically, I'm looking for something that can listen on port 1965
> and route encrypted traffic to other ports based on the TLS SNI. I
> don't want to do TLS termination at the proxy-layer because I need to
> support client certificates on the destination servers.
> 
>  From my research, it looks like Nginx and HAProxy both claim to
> support TLS routing like this, but I can't for the life of me figure
> out how to configure either of them :/
> 
> Best,
> Michael

Link to individual message.

3. panda-roux (contact (a) panda-roux.dev)

I just re-read your message and saw you're wanting SNI-based routing.Β  
Bear in mind that the configuration file I sent deals only with 
domain-name based filtering based on sub-string comparisons.Β  I haven't 
tried anything else yet.

Please let us know if you do get that working though!

panda-roux

On 5/25/2021 1:30 PM, panda-roux wrote:
> I am using HAProxy.Β  Here's my config for some inspiration: 
https://gist.github.com/panda-roux-dev/9142cf01ad3b29aa86120c7cd90d5b95
> 
> It was a headache to set up because I'd never used it before and 99% of 
the search results online are concerning its HTTP usage, but eventually 
figured out something that works in TCP-mode.
> 
> Note that I'm using TLS passthrough rather than having HAProxy take care 
of encryption.Β  This is in order to let each back-end server use 
certificates with its corresponding domain name listed in them.
> 
> Good luck.
> 
> panda-roux
> 
> On 5/25/2021 1:05 PM, Michael Lazar wrote:
>> Greetings,
>> 
>> Has anyone gotten a reverse proxy server working with gemini?
>> Specifically, I'm looking for something that can listen on port 1965
>> and route encrypted traffic to other ports based on the TLS SNI. I
>> don't want to do TLS termination at the proxy-layer because I need to
>> support client certificates on the destination servers.
>> 
>> Β From my research, it looks like Nginx and HAProxy both claim to
>> support TLS routing like this, but I can't for the life of me figure
>> out how to configure either of them :/
>> 
>> Best,
>> Michael

Link to individual message.

4. Peter Vernigorov (pitr.vern (a) gmail.com)

With nginx it's quite simple, just ensure that your nginx is compiled
with stream_ssl_preread_module:

stream {
    map $ssl_preread_server_name $upstream {
        "app1.example.com" 127.0.0.1:5000;
        "app2.example.com" 127.0.0.1:5001;
    }
    server {
        listen      1965;
        proxy_pass  $upstream;
        ssl_preread on;
    }
}

On Tue, May 25, 2021 at 10:34 PM panda-roux <contact@panda-roux.dev> wrote:
>
> I just re-read your message and saw you're wanting SNI-based routing.
> Bear in mind that the configuration file I sent deals only with
> domain-name based filtering based on sub-string comparisons.  I haven't
> tried anything else yet.
>
> Please let us know if you do get that working though!
>
> panda-roux
>
> On 5/25/2021 1:30 PM, panda-roux wrote:
> > I am using HAProxy.  Here's my config for some inspiration:
> > https://gist.github.com/panda-roux-dev/9142cf01ad3b29aa86120c7cd90d5b95
> >
> > It was a headache to set up because I'd never used it before and 99%
> > of the search results online are concerning its HTTP usage, but
> > eventually figured out something that works in TCP-mode.
> >
> > Note that I'm using TLS passthrough rather than having HAProxy take
> > care of encryption.  This is in order to let each back-end server use
> > certificates with its corresponding domain name listed in them.
> >
> > Good luck.
> >
> > panda-roux
> >
> > On 5/25/2021 1:05 PM, Michael Lazar wrote:
> >> Greetings,
> >>
> >> Has anyone gotten a reverse proxy server working with gemini?
> >> Specifically, I'm looking for something that can listen on port 1965
> >> and route encrypted traffic to other ports based on the TLS SNI. I
> >> don't want to do TLS termination at the proxy-layer because I need to
> >> support client certificates on the destination servers.
> >>
> >>  From my research, it looks like Nginx and HAProxy both claim to
> >> support TLS routing like this, but I can't for the life of me figure
> >> out how to configure either of them :/
> >>
> >> Best,
> >> Michael

Link to individual message.

5. Nikolay Korotkiy (sikmir (a) gmail.com)

Have you tried Traefik? It supports SNI-based routing.

Michael Lazar kirjoitti 25.5.2021 klo 23.05:
> Greetings,
> 
> Has anyone gotten a reverse proxy server working with gemini?
> Specifically, I'm looking for something that can listen on port 1965
> and route encrypted traffic to other ports based on the TLS SNI. I
> don't want to do TLS termination at the proxy-layer because I need to
> support client certificates on the destination servers.
> 
>  From my research, it looks like Nginx and HAProxy both claim to
> support TLS routing like this, but I can't for the life of me figure
> out how to configure either of them :/
> 
> Best,
> Michael
> 

-- Best regards,
Nikolay

Link to individual message.

6. Christine Dodrill (me (a) christine.website)

My gemini server at https://github.com/Xe/rhea does reverse proxying.
Works with Unix sockets too. It does everything I need.

On Tue May 25, 2021 at 8:05 PM UTC, Michael Lazar wrote:
> Greetings,
>
> Has anyone gotten a reverse proxy server working with gemini?
> Specifically, I'm looking for something that can listen on port 1965
> and route encrypted traffic to other ports based on the TLS SNI. I
> don't want to do TLS termination at the proxy-layer because I need to
> support client certificates on the destination servers.
>
> From my research, it looks like Nginx and HAProxy both claim to
> support TLS routing like this, but I can't for the life of me figure
> out how to configure either of them :/
>
> Best,
> Michael

Christine Dodrill
https://christine.website

.i la budza pu cusku lu
 <<.i ko snura .i ko kanro
   .i ko panpi .i ko gleki

Link to individual message.

7. Omar Polo (op (a) omarpolo.com)


Michael Lazar <lazar.michael22@gmail.com> writes:

> Greetings,
>
> Has anyone gotten a reverse proxy server working with gemini?
> Specifically, I'm looking for something that can listen on port 1965
> and route encrypted traffic to other ports based on the TLS SNI. I
> don't want to do TLS termination at the proxy-layer because I need to
> support client certificates on the destination servers.
>
> From my research, it looks like Nginx and HAProxy both claim to
> support TLS routing like this, but I can't for the life of me figure
> out how to configure either of them :/
>
> Best,
> Michael

Not exactly what you're asking for, but have you considered using
FastCGI?  It would allow your gemini server to do TLS and forward
requests to various backends.  Info about the client certificates can be
sent as parameters.

I think it could be a viable option for Gemini, and I started to
experiment with it in gmid[0], but further work in needed in this
regard.

HTH,

Omar Polo


[0]: https://github.com/omar-polo/gmid/commit/8ff40039e885f6ba64c887f390daf7e7f3bc2ff8

Link to individual message.

8. Michael Lazar (lazar.michael22 (a) gmail.com)

Thanks for all the helpful suggestions everyone! I ended up going the
nginx stream route because it looked the simplest and I'm already
familiar with installing and using the software. Everything on
gemini://*.mozz.us is now being routed through nginx and appears to be
working great.

- Michael

Link to individual message.

---

Previous Thread: Re: Gemini Digest, Vol 22, Issue 25

Next Thread: [ANN] GemThread: an experimental conversation server