search

corporate-gadfly / Tunlr-Clone

302 stars 57 forks source link

IPTables redirect unnecessary? #19

Closed dlundquist closed 11 years ago

dlundquist commented 11 years ago

Great to see an application of sniproxy! The use of IPtables to redirect incoming requests from ports 80 and 443 to 8080 and 8443 seems unnecessary: sniproxy can listen on these ports. Additionally with sniproxy running on these ports specifying the port on each backend is unnecessary (they will inherit the port from the listener) and you can use a single table.

user daemon

pidfile /var/run/sniproxy.pid

listener 80 {
    proto http
    table videosites
}

listener 443 {
    proto tls
    table videosites
}

table videosites {
    www.example.com *
}

Also on a recent version of Debian I would recommend building a deb package, rather than using make install.

corporate-gadfly commented 11 years ago

Thank you for making sniproxy. Any plans to support ACL in sniproxy?

dlundquist commented 11 years ago

@corporate-gadfly I think iptables is better suited and higher performance than preforming an ACL check when accepting each connection. I could see a use case for a per backend ACL since the backend server could not effectively filter by source IP (I can't insert an X-Forwarded-For header into an SSL session without the private key), but that would be pretty far down the feature list.

My intended application was to enable using low cost IPv6 only VPSs + a shared SNI proxy box (with IPv4 connectivity) to be used as a replacement for shared hosting products.