How do I route HTTPS encrypted packets without decrypting it?

Question

We have a scenario where I have two applications that are running in virtual machines. They will both serve traffic on ports 80/443, but on different host names. One of the containers is vendor-provided, and they will decrypt HTTPS traffic within the container.

Can I configure NGINX (or another tool) to route traffic to a certain VM based on the targetted hostname (perhaps via SNI) without decrypting the packets in the proxy?

For example:

myapp1.example.com:443 -> NGINX -> 10.0.0.1:8443 (terminate HTTPS on VM) vendor1.example.com:443 -> NGINX -> 10.0.0.1:9443 (terminate HTTPS on VM)

Answer 1

This can be achieved by using the nginx ngx_stream_ssl_preread_module. Here's an example configuration:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

stream {
    upstream server1 {
        server 192.0.2.125:443;
    }

    upstream server2 {
        server 192.0.2.126:443;
    }

    map $ssl_preread_server_name $upstream {
        hostnames;
        .server1.example.com server1;
        .server2.example.com server2;
    }

    server {
        listen 443;
        listen [::]:443;

        ssl_preread on;
        proxy_pass $upstream;
    }
}

The upstream directive is used to define the server to send traffic to. Then the map $ssl_preread_server_name allows nginx to read the SNI value of the request from the client to properly direct traffic to the right upstream box.

This will ONLY work, if the client sends a valid SNI value. This also allows the use of client-certificates for authentication since the TLS connection isn't completed until AFTER nginx sends the traffic to the remote end-point.