Customize SNI individually

microsoft / reverse-proxy

A toolkit for developing high-performance HTTP reverse proxy applications.

https://microsoft.github.io/reverse-proxy

MIT License

8.51k stars 838 forks source link

Customize SNI individually #2036

Open ghost opened 1 year ago

ghost commented 1 year ago

What should we add or change to make your life better?

Customize SNI individually

Why is this important to you?

Some places block some websites by detecting SNI, which can be bypassed by not sending SNI information

Tratcher commented 1 year ago

This is for outgoing requests from the proxy?

YARP uses HttpClient to make outbound requests. HttpClient has two ways of controlling the SNI. The first is the host name from the request URI, e.g. example.com. The second is the Host header on the request, which overrides the host name from the URI for SNI.

I don't think there's a way to disable outgoing SNI.

ghost commented 1 year ago

This is for outgoing requests from the proxy?

Yes!

I don't think there's a way to disable outgoing SNI.

Maybe I should make this request in .net?

Tratcher commented 1 year ago

@MihaZupan @samsp-msft This sounds similar to other recent requests, is there an issue that covers this?

karelz commented 1 year ago

Triage: We should file issue in Runtime, clarify how it works in HttpClient, then decide what to do here. @MihaZupan can you please help here?

MihaZupan commented 1 year ago

Mering comments from Radek and me from the issue in runtime: https://github.com/dotnet/runtime/issues/82165

Not sending SNI at all
- It should be possible, but it will take some work. You need to use SocketsHttpHandler.ConnectCallback to customize how connections are established. Inside the callback, construct the SslStream instance and authenticate with any SslClientAuthenticationOptions as you see fit and return it.
- Note that ability to return SslStream from the callback was added in 7.0 only (https://github.com/dotnet/runtime/pull/63851).
Changing the value of SNI
- The value HttpClient uses is the host specified in the Host header, otherwise the host from the request's Uri.
Send an SNI that's different than the host header
- Because we use the value from the host header, it's not possible to send an SNI that's different without going through ConnectCallback.

karelz commented 1 year ago

Triage:

At minimum we should document it in YARP as known trick to achieve the goal (full control over SNI -- all the cases)
- We should put it into HttpClient conceptual docs (e.g. Advanced subsection / subpage) - @MihaZupan can you please create docs issue in Runtime. I will ask @rzikm @wfurt to help with that. cc @ManickaP @CarnaViire
- We should link it from YARP docs.
We could consider making it easier in YARP for customers (e.g. via config -- though might not be easy implementable) -- we got only 2 upvotes on it so far, let's see if we get more interest over time. cc @samsp-msft

MihaZupan commented 1 year ago

Tracking issue in dotnet/docs: https://github.com/dotnet/docs/issues/34263