askvity

What is SNI proxy?

Published in Network Proxy 3 mins read

SNI proxy is a type of proxy server that routes incoming HTTP and TLS connections based on the hostname extracted from either the HTTP Host header (for plain HTTP connections) or the TLS ClientHello extension (for secure TLS connections). This allows for transparent proxying of network traffic by redirecting connections to the sniproxy.

Essentially, SNI proxy acts as a smart traffic director, examining the server name requested by the client before establishing a full connection. This is crucial for scenarios like:

  • Hosting multiple websites on a single IP address: SNI (Server Name Indication) allows a server to present different certificates based on the hostname requested. An SNI proxy can forward the connection to the appropriate backend server based on the SNI information.

  • Transparently proxying HTTPS traffic: Without SNI, traditional proxies have difficulty routing HTTPS traffic because the hostname is encrypted within the TLS handshake. SNI proxy overcomes this limitation.

How SNI Proxy Works:

  1. Client Request: A client (e.g., a web browser) sends a request to access a website. If it's an HTTPS request, the ClientHello message includes the SNI extension, specifying the hostname. If it's an HTTP request, the Host header contains the hostname.
  2. SNI Proxy Interception: The SNI proxy intercepts this request.
  3. Hostname Extraction: The proxy extracts the hostname from the HTTP Host header or the TLS ClientHello extension.
  4. Routing Decision: Based on the extracted hostname, the proxy determines the appropriate backend server to which the request should be forwarded. This is typically configured using a mapping of hostnames to backend server addresses (IP and port).
  5. Connection Forwarding: The proxy forwards the connection to the selected backend server.
  6. Backend Server Response: The backend server processes the request and sends the response back to the client, potentially through the SNI proxy.

Benefits of Using SNI Proxy:

  • Efficient Resource Utilization: Allows multiple websites to be hosted on a single IP address.
  • Improved Security: Can enhance security by providing an additional layer of protection and control over network traffic.
  • Transparent Proxying: Enables seamless proxying of both HTTP and HTTPS traffic.
  • Flexibility: Provides a flexible solution for managing complex network configurations.

Example Use Case:

Imagine you have two websites, example.com and example.net, both hosted on the same IP address. An SNI proxy can be configured to:

  • Forward requests for example.com to a server at 192.168.1.10:8080.
  • Forward requests for example.net to a server at 192.168.1.20:8080.

When a user tries to access https://example.com, the SNI proxy will examine the ClientHello, see example.com, and forward the connection to the appropriate backend server (192.168.1.10:8080). The same applies for https://example.net, directing the request to 192.168.1.20:8080.

Related Articles