README
sni-passthrough
A minimalistic SNI pass-through proxy. Not a full featured TLS termination or load-balancer!
Usage
require('sni-passthrough').createServer({
sni: {
'sni-1.com': '127.0.0.1:444',
'sni-2.com': '> 127.0.0.1:445',
'sni-3.com': '[::1]:446',
'*': '127.0.0.1:444'
}
})
.listen(443)
API
createServer(opts) => net.Server
opts.sni
Either an object or a function
The object: hostname => destination mapping
destination is a "host:port"
string, port must NOT be omitted.
Wildcard and RegExp are not supported.
Use destination null
to blacklist a domain name.
Prepend >
to destination to mark a compatible backend.
Use hostname '*'
to designate a fallback.
The function: (hostname) => forwardFunc(conn, buf) || undefined
If SNI is not sent, hostname
will be null
If function returns undefined
, incoming connection is dropped.
Use this to implement load-balancing or complicated logic.
forwardFunc
should connect and pipe conn
to backend.
opts
will be passed to net.createServer
, you can specify additional options
Remote peer IP address
Use >
to mark a compatible backend destination.
In this case, remote peer's information is injected before piping.
For example, see sni-passthrough-backend
Do not specify this flag for incompatible backend!
Maybe a X-Forwarded-For
TLS extension? 🙃
Performance
On loopback, with my 2015 MBP @ 2.4Ghz, I was able to achieve:
- ~8Ghz thorough-put
1800 QPS for a single 2000 QPS backend (10% loss,wrk -c100
)
Testing
- Generate key, self-sign certificate
- Put them at
key.pem
,cert.pem
- In terminal, run
mocha
License
MIT