功能類似於dlundquist/sniproxy
推薦 OpenResty 加上 stream 模塊和 ngx_stream_lua_module 模塊。在 1.9.15.1 上測試通過。
示例配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
stream { lua_resolver 8.8.8.8; init_worker_by_lua_block { sni_rules = { ["www.google.com"] = {"www.google.com", 443}, ["www.facebook.com"] = {"9.8.7.6", 443}, ["twitter.com"] = {"1.2.3.4"}, [".+.twitter.com"] = {nil, 443} } } server { error_log /var/log/nginx/sniproxy-error.log error; listen 443; content_by_lua_block { local sni = require("resty.sniproxy") local sp = sni:new() sp:run() } } } |
A Lua table sni_rules
should be defined in the init_worker_by_lua_block
directive.
The key can be either whole host name or regular expression. Use .
for a default host name. If no entry is matched, connection will be closed.
The value is a table containing host name and port. If host is set to nil
, the server_name in SNI will be used. If the port is not defined or set to nil
, 443 will be used.
Rules are applied with the priority as its occurrence sequence in the table. In the example above, twitter.com will match the third rule rather than the fourth.
If the protocol version is less than TLSv1 (eg. SSLv3, SSLv2), connection will be closed, since SNI extension is not supported in these versions.