On 2019-03-11 20:09, Joseph Sinclair wrote: > I would second both Stephen and Dhruva with a slight expansion.
> 1) Setting up a HTTP (or Layer 7 in general) proxy is what you need
> to have one IP/port set directed to multiple backend HTTP
> 2) TLS traffic is "special" to proxy, as the certificate has to be on
> the proxy, which needs to terminate the secure tunnel in order to
> inspect the traffic and figure out where it goes.
Oh yes. You haven't lived until you've had to debug problems with
HTTPS proxying on machines where you don't have any direct access.
> 3) In addition to Nginx or Apache, you could also use HAProxy to
> setup a pure proxy (the proxy terminates TLS, inspects traffic, and
> directs traffic to backend services for both website and NAS based on
> HTTP characteristics)
This would also be interesting to do. All of the proxying work I've
done has involved nginx or apache though.
I'm surprised no one's mentioned sslh. That's a little program that
typically listens on 443, then based on protocol (not hostname) forwards
packets to a user-defined set of hosts and ports. I have my router
forward port 443 to 192.168.1.20 , where sslh is listening, and it sends
HTTPS things to localhost:443 while it sends SSH things to localhost:22.
It understands a number of protocols including HTTP, HTTPS, SSH,
OpenVPN, and XMPP, and it can be extended to understand other protocols
based on regular expressions. It's useful to be able to "ssh -P 443 (my
home IP address)" and get my desktop.