Support SNI preread module and routing of TCP traffic with TransportServer #6324
Labels
epic
Issues that need to be broken into smaller issues
needs more info
Issues that require more information
ready for refinement
An issue that was triaged and it is ready to be refined
Discussed in #5544
Originally posted by brianehlert May 14, 2024
SNI based routing of Layer 4 traffic is a way to support customers using DNS names for TCP traffic and support routing based on the SNI header.
With NGINX this is implemented using the stream ssl pre-read module.
https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
This module is already present in the NGINX Plus binary.
Today, this is possible with heavy use of snippets. The ask is to make this present and first class with the TransportServer resource.
This also historically described here:
https://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname
There are some additional considerations that need to be included here:
This is conceptually no different than the suggestion to make the VS/VSR relationship easier to implement like Ingress master/minion but with some level of security controls like Gateway API ReferenceGrant.
The overall concept is multiple upstream targets for TCP behind a single listener and to route based on SNI.
This would support both TLS Passthrough as well as advanced programmability that might require TLS decryption and re-encryption.
To bring this all together:
this would be available in the TransportServer or possible with a TransportServerRoute 'attaching' to a TransportServer
This is the same relationship pattern with think about with Ingress master/minion or with VirtualServer/VirtualServerRoute
TLS traffic in -> TransportServer matches TLD of hostheader -> TransportServerRoute matches server.TLD of host header and defines upstream.
The text was updated successfully, but these errors were encountered: