caddy-l4
caddy-l4 copied to clipboard
mholt
how to proxy quic
tcp proxy
{
"apps": {
"layer4": {
"servers": {
"srv0": {
"listen": [":443"],
"routes": [{
"match": [{
"tls": {
}
}],
"handle": [{
"handler": "proxy",
"upstreams": [{
"dial": ["{l4.tls.server_name}:443"]
}]
}]
}]
},
"srv1": {
"listen": [":80"],
"routes": [{
"match": [{
"http": []
}],
"handle": [{
"handler": "proxy",
"upstreams": [{
"dial": ["{l4.http.host}:80"]
}]
}]
}]
}
}
}
},
"logging": {
"logs": {
"default": {
"encoder": {
"format": "json",
"time_format": "wall",
"time_local": true
},
"exclude": [],
"writer": {
"filename": "proxy.event.log",
"output": "file",
"roll": false
}
}
}
}
}
How to proxy quic by sni? udp proxy not work:
"srv11": {
"listen": ["udp/:443"],
"routes": [{
"match": [{
"tls": {
}
}],
"handle": [{
"handler": "proxy",
"upstreams": [{
"dial": ["{l4.tls.server_name}:443"]
}]
}]
}]
},
It does not seem doable right now. However, that might be quite "easily" achievable using quic-go's
EarlyListener mechanism: we could setup an EarlyListener and feed it UDP packets. When it accepts a new conn, we could extract the SNI from its TLS context (simply access the ConnetionState's TLS context that contains the SNI, everything seems correctly exposed by quic-go. It feels a bit hackish though.
Any thoughts on that ?
I don't know enough about the details of the QUIC protocol, but it sounds plausible -- I'd be open to an experiment/PR!
How to proxy quic by sni? udp proxy not work:
"srv11": { "listen": ["udp/:443"], "routes": [{ "match": [{ "tls": { } }], "handle": [{ "handler": "proxy", "upstreams": [{ "dial": ["{l4.tls.server_name}:443"] }] }] }] },
This PR can achieve your needs, but it is not merged.
The linked PR has been merged. Please try it out! (It may not have been 100% complete but should work.)