Skip to content


Subversion checkout URL

You can clone with
Download ZIP
TCP proxy that inspects the TLS handshake for server name extension then proxies the request
C Shell
Branch: master
Pull request Compare This branch is 11 commits ahead, 486 commits behind dlundquist:master.

Fix double-close again.

Handle all closing within handle_connections() using error return code
from _rx/_tx to avoid double-close problem. Move last activity
timestamp update to _rx/_tx functions.
latest commit 38de6344ba
@manuelkasper authored
Failed to load latest commit information.
src Fix double-close again.
tests Handle SERVER_CLOSED seperately from CONNECTED and ACCEPTED states, s…
.gitignore Handle missing config file case, more clean up
Makefile make test target Updating docs
TODO adding pidfile to TODO


Proxies TLS and HTTP requests to backend servers based on SNI (server name indication) TLS extension.


  • Namebased proxying of HTTPS without decrypting traffic. No keys or certificates required.
  • Also supports HTTP
  • Support IPv4, IPv6 and Unix domain sockets for both backend servers and listeners
  • Multiple listeners per daemon


Usage: sni_proxy [-c <config>] [-f]
    -c  configruation file, defaults to /etc/sni_proxy.conf
    -f  run in foreground, do not drop privileges

Configuration Syntax

user daemon

listener 443 {
    protocol tls
    table "TableName"

table "TableName" {
    # Match exact request hostnames      4343 2001:DB8::1:10  443
    # Or use PCRE to match
    .*\\.com    2001:DB8::1:11  443
    # Combining PCRE and wildchard will resolve the hostname client requested and proxy to it
    .*\\.edu    *               443
Something went wrong with that request. Please try again.