Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SNI preread module and routing of TCP traffic with TransportServer #6324

Open
shaun-nx opened this issue Sep 2, 2024 Discussed in #5544 · 1 comment
Open

Support SNI preread module and routing of TCP traffic with TransportServer #6324

shaun-nx opened this issue Sep 2, 2024 Discussed in #5544 · 1 comment
Labels
epic Issues that need to be broken into smaller issues needs more info Issues that require more information ready for refinement An issue that was triaged and it is ready to be refined

Comments

@shaun-nx
Copy link
Contributor

shaun-nx commented Sep 2, 2024

Discussed in #5544

Originally posted by brianehlert May 14, 2024
SNI based routing of Layer 4 traffic is a way to support customers using DNS names for TCP traffic and support routing based on the SNI header.
With NGINX this is implemented using the stream ssl pre-read module.
https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

This module is already present in the NGINX Plus binary.

Today, this is possible with heavy use of snippets. The ask is to make this present and first class with the TransportServer resource.

This also historically described here:
https://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname

There are some additional considerations that need to be included here:

  • The possibility for greater flexibility with TransportServer
  • Extending this with the concept of a TranspotServerRoute (similar to the VS/VSR relationship)
  • Creating theoretical simplicity to role separation and easy to provide controls over the hostname versus the backend definition
    This is conceptually no different than the suggestion to make the VS/VSR relationship easier to implement like Ingress master/minion but with some level of security controls like Gateway API ReferenceGrant.

The overall concept is multiple upstream targets for TCP behind a single listener and to route based on SNI.
This would support both TLS Passthrough as well as advanced programmability that might require TLS decryption and re-encryption.

To bring this all together:

  • TransportServer would include the option for a top level domain type SNI match ( foo.com )
  • Following a concept similar to an http path or nginx location - the extension of a service specific route that matches to the backend service (service.foo.com)
    this would be available in the TransportServer or possible with a TransportServerRoute 'attaching' to a TransportServer
    This is the same relationship pattern with think about with Ingress master/minion or with VirtualServer/VirtualServerRoute
  • This would support TLS passthrough and decrypted TLS (it would use preread)

TLS traffic in -> TransportServer matches TLD of hostheader -> TransportServerRoute matches server.TLD of host header and defines upstream.
@shaun-nx shaun-nx added the epic Issues that need to be broken into smaller issues label Sep 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 2, 2024

Hi @shaun-nx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@shaun-nx shaun-nx added ready for refinement An issue that was triaged and it is ready to be refined needs more info Issues that require more information labels Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
epic Issues that need to be broken into smaller issues needs more info Issues that require more information ready for refinement An issue that was triaged and it is ready to be refined
Projects
NGINX Ingress Controller
Status: Prioritized backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shaun-nx