reverse-proxy icon indicating copy to clipboard operation
reverse-proxy copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Customize SNI individually

Open ghost opened this issue 2 years ago • 7 comments

What should we add or change to make your life better?

Customize SNI individually

Why is this important to you?

Some places block some websites by detecting SNI, which can be bypassed by not sending SNI information

ghost avatar Feb 14 '23 16:02 ghost

This is for outgoing requests from the proxy?

YARP uses HttpClient to make outbound requests. HttpClient has two ways of controlling the SNI. The first is the host name from the request URI, e.g. example.com. The second is the Host header on the request, which overrides the host name from the URI for SNI.

I don't think there's a way to disable outgoing SNI.

Tratcher avatar Feb 14 '23 16:02 Tratcher

This is for outgoing requests from the proxy?

Yes!

I don't think there's a way to disable outgoing SNI.

Maybe I should make this request in .net?

DarkCWK avatar Feb 14 '23 16:02 DarkCWK

@MihaZupan @samsp-msft This sounds similar to other recent requests, is there an issue that covers this?

Tratcher avatar Feb 14 '23 17:02 Tratcher

Triage: We should file issue in Runtime, clarify how it works in HttpClient, then decide what to do here. @MihaZupan can you please help here?

karelz avatar Feb 14 '23 18:02 karelz

Mering comments from Radek and me from the issue in runtime: https://github.com/dotnet/runtime/issues/82165

  1. Not sending SNI at all
    • It should be possible, but it will take some work. You need to use SocketsHttpHandler.ConnectCallback to customize how connections are established. Inside the callback, construct the SslStream instance and authenticate with any SslClientAuthenticationOptions as you see fit and return it.
    • Note that ability to return SslStream from the callback was added in 7.0 only (https://github.com/dotnet/runtime/pull/63851).
  2. Changing the value of SNI
    • The value HttpClient uses is the host specified in the Host header, otherwise the host from the request's Uri.
  3. Send an SNI that's different than the host header
    • Because we use the value from the host header, it's not possible to send an SNI that's different without going through ConnectCallback.

MihaZupan avatar Feb 15 '23 16:02 MihaZupan

Triage:

  • At minimum we should document it in YARP as known trick to achieve the goal (full control over SNI -- all the cases)
    • We should put it into HttpClient conceptual docs (e.g. Advanced subsection / subpage) - @MihaZupan can you please create docs issue in Runtime. I will ask @rzikm @wfurt to help with that. cc @ManickaP @CarnaViire
    • We should link it from YARP docs.
  • We could consider making it easier in YARP for customers (e.g. via config -- though might not be easy implementable) -- we got only 2 upvotes on it so far, let's see if we get more interest over time. cc @samsp-msft

karelz avatar Feb 21 '23 18:02 karelz

Tracking issue in dotnet/docs: https://github.com/dotnet/docs/issues/34263

MihaZupan avatar Feb 24 '23 18:02 MihaZupan