I have a host system with one public IP address that runs multiple VMs. Each VM is hosting multiple websites and should remain in control of the TLS keys for their HTTPS connections. For this setup to work, the host system should run a reverse proxy on port 443 that forwards incoming requests to the appropriate VM based on SNI. This way, the host system does not need to decrypt the TLS traffic. The host system receives requests through HTTP/1 or HTTP/2 and forwards them to the VMs, using the PROXY protocol to tell the VMs details about the incoming connection.
This type of setup is often referred to as “TLS passthrough” and is supported by a variety of web servers for the host system, for example:
- nginx using ngx_stream_ssl_preread_module
- traefik using
passthrough - haproxy using
req.ssl_sni
I would now like to add HTTP/3 support to the host system. I don't have enough expertise on the topic to judge whether the VMs would need to support HTTP/3 as well (and whether the PROXY protocol works with HTTP/3 in that case), or whether the host system could convert the incoming HTTP/3 requests to HTTP/1 without encrypting them before forwarding them to the VMs.
I have not been able to find a way to set this up:
- nginx does not support HTTP/3 yet in its stable release
- traefik does not support SNI routing for HTTP/3 (issue, discussion)
- I don't have experience with haproxy, but there are no responses to this question
Is there any reverse proxy / load balancer software that supports TLS passthrough with SNI routing for HTTP/3?
(Note that an alternative approach is to forward a separate HTTP/3 UDP port to each VM. The port has to be < 1024.)
