Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Better PROXY support and SNI #113

merged 3 commits into from Aug 10, 2012


None yet
4 participants

zenazn commented Jul 20, 2012

Two patches we're using at Stripe.

carl-stripe added some commits Jun 20, 2012

@carl-stripe carl-stripe Code cleanup
The code had mixed tabs/spaces and trailing whitespace. I standardized
on 4-space indentation for stud.c and deleted all trailing whitespace. I
also cleaned up whitespace in shctx.c (but did not standardize spacing
@carl-stripe carl-stripe Proxy-PROXY support
A mode that enables transparently passing the PROXY header generated by
HAProxy et. al. through to the backend connection. This can be useful
if you are using a TCP load balancer (such as HAProxy in tcp mode) to
distribute encrypted streams to stud before they are unwrapped.
@carl-stripe carl-stripe Add SNI support
If multiple certificates are specified, try to perform Server Name
Indication to serve the most appropriate one. We fall back to the last
certificate presented if none of the previous ones match, making it a
useful place to put a star cert.

A few caveats:
- Certificate names are compared as case-insensitive strings, without
  any special logic for dealing with wildcards. The current workaround
  is to always place wildcard certificates last, where they act as the
  default catch-all.
- Certificates are examined in order. The first certificate that matches
  any given request will be used.
- The name -> certificate mapping is stored in a singly linked list.
  This performs very well for use with a handful of certificates, none
  of which have very many Subject Alternative Names, however sites which
  must serve a large number of certificates or names might find a linear
  list scan on every new connection too slow.

@jamwt jamwt pushed a commit that referenced this pull request Aug 10, 2012

Jamie Turner Merge pull request #113 from zenazn/master
Better PROXY support and SNI

@jamwt jamwt merged commit 0b88039 into bumptech:master Aug 10, 2012


jamwt commented Aug 10, 2012

Thanks, great stuff.

fcicq commented on b09da7e Oct 29, 2012

please see #122, bug introduced by this commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment