Possible on Mikrotik : multiple domains to multiple local servers using SNI

DaSnipe · August 13, 2022, 12:26am

Hello all,

I’m wondering if a setup like this is possible using my mikrotik without having to use an extra proxy (like Haproxy). My friend has a simple setup using pfsense + haproxy (https://github.com/stavros-k/docs/blob/master/docs/networking/1-pfsense/10-haproxy/3-sni.md) but if possible would like to avoid spinning an extra VM for now.

Everything I google on SNI is about people blocking users from accessing servers and I wonder if there’s a simple way to do this.

I already have one server forwarding HTTPS (443) to one local box and the other local box using 9443 externally but without a proxy I’m forced to use Cloudflare SRV records to have a mydomain.com:9443 URL secured with TLS

Thanks in advance!

rextended · August 13, 2022, 12:55am

Are all the others who use reverse proxies stupid, then?

When the SNI information arrives, the connection is already established and cannot be NATed elsewhere.

DaSnipe · August 13, 2022, 1:09am

Maybe I miswrote that section, I meant my Google search basically shows people trying to block outbound traffic using SNI, not inbound, and nothing on reverse proxies on mikrotik.

If it’s not possible it’s fine just would be cool

DaSnipe · August 13, 2022, 1:20am

Maybe a better solution is using haproxy inside a Container, there’s docker containers for what I need

mkx · August 13, 2022, 6:42am

Breaking connection works (as long as SNI is used, HTTP/2 is getting rid of SNI in unencrypted form as we know it today) because connection can be broken at any stage, even when content is already being delivered. But forwarding connection to correct backend server on TCP level (which is what ROS firewall does) has to be done for every single packet and TCP exchanges a few packets before SNI happens.

So no, it’s not possible unless one uses proper L7 solution - reverse proxy. Whether it’s run on router (inside container) or on dedicated box, that’s up to admin.
Just a word of caution: RP will terminate all TLS towards clients … if backend servers use TLS then it will be independent security sessions between RP and backend server. And terminating TLS means quite a lot of CPU effort to encrypt/decrypt communication (compared to plain HTTP which is easy on server’s CPU). I’m sure RBs will be able to do it for a few tens of Mbps (at expense of routing performance!), but not much more. It takes one modern x86-64 CPU core to handle 100Mbps of TLS by HAproxy (so if target is 500Mbps, one needs 5 such cores). Decent amount of RAM comes handy if one configures caching on RP, it can help with slower backends.
IMO better solution is to use one of existing backend servers as RP … and this even works if other backends are behind other NAT firewalls, RP can connect to non-standard ports (but not needed in OP’s case as per topic title).

DaSnipe · August 13, 2022, 4:03pm

Thanks @mkx you might be right. I’ve gotten haProxy to work inside a Container but it’s slowing down my Rb5009. Might be a config issue also but we’ll see. I’m not asking too much for my small homelab but I might have to spin up a VM and just run it there