TLS SNI support

[dweinstein]

I don't think that currently SNI is supported.

[dweinstein]

See how mitmproxy supports this complication here

[ottomao]

I've read the wiki about SNI, but can not fully understand it.
In AnyProxy, certificates are signed with hostname, not ip address. So there shouldn't be any problem with virtual hosts.

[dweinstein]

Please see the list of complications mitmproxy talks about here: https://github.com/mitmproxy/mitmproxy/blob/master/doc-src/howmitmproxy.html#L125

They are hopefully documented a little better than the wiki page and can help clarify the different scenarios rather than me restating it :-)

[guangwong]

My english is very poor.

Using SNI -> NodeHTTPSServer Support & Client Support
NodeHTTPSServer Support -> True
Client Support -> IE on XP & Other
Other -> True
IE on XP -> False !-> Using SNI
So IE on XP -> Unnecessary -> Using SNI

Using SNI -> Only listen one TCP port.

支持了 SNI 现在的模式就不用监听那么多端口了，但是 IE6 不支持 SNI 。

其实还有更好的解决方案 XD 。 Some implementation better .

https://github.com/guangwong/server-for-http-proxy/blob/master/lib/http-server-supported-https.js

这是 0.11.x 上的实现 ，0.10.x 需要多一些工作。

[ottomao]

@dweinstein
Perhaps I've found out why SNI is not necessary our proxy server.
For regular https servers, users send requests DIRECTLY to it. So a server should identify the hostname during TLS handshaking(OSI layer 5) and deliver a corresponding certificate. This is why SNI should be invoked on virtual hosts.

When it comes to proxy server, something changed. If a user wants to connect an https server via proxy, the browser will send an http(not https) request with CONNECT method first. During this process, the proxy server could learn the target host name and then establish a socket tunnel to target server. Now you can see, since we have got the hostname on OSI layer 7, SNI is no longer needed.

Please note that we are talking about regular proxy server, not reverse proxy for load balance on server side.

[ottomao]

@dweinstein
The previous comment explains why SNI is not needed in the user-side interface of proxy.
After thinking it again, maybe it is still necessary for the back-side. When the target server is deployed on a virtual host, we have to implement SNI on proxy side correspondingly.
The solution may have to do with something about nodejs api. I'll try to find out and publish a new version if needed.

Thanks !

[ottomao]

@guangwong 如上文所述，SNI应该是Proxy向server发送信息时需要支持的特性。至于用户这边的方案，多开几个端口也没什么问题，哈哈。

[guangwong]

@ottomao 是呀，单机自己用这样也是没有关系的。 我在做淘宝这边的一个集中代理工具，是集中式的需要多考虑这些的（最伤心的还有证书安全。。 ）。

[ottomao]

@guangwong 不知道有没有给你回复过，AnyProxy现在已经支持SNI了，不用再开这么多端口。

[guangwong]

@ottomao 好的~ 我这才知道

[Degreane]

嗨，大家好。
是否有任何教程如何运行anyproxy SNI支持（和TLS），如果可能的话？
也将是非常容易的，如果它可以透明地运行。

而且我一定在客户端浏览器包括证书或工作的透明？

很多问候

[ottomao]

@Degreane
Did you use online translation service to get these Chinese words ? It's hard to understand. :(

[Degreane]

Yes sorry ;)
anyhow was asking if there are any tutorials on how to run anyproxy SNI support (and TLS), if possible?
It will also be very useful if it can run transparently without adding manually the certificate to client browsers. or to find a way to push it to the client browser.

much regards

[codingfishman]

AnyProxy is now support SNI, close the issue.