Community discussions

MikroTik App
 
DaSnipe
just joined
Topic Author
Posts: 11
Joined: Mon Jan 17, 2022 5:00 am
Location: Montreal, QC, Canada
Contact:

Possible on Mikrotik : multiple domains to multiple local servers using SNI

Sat Aug 13, 2022 3:26 am

Hello all,

I'm wondering if a setup like this is possible using my mikrotik without having to use an extra proxy (like Haproxy). My friend has a simple setup using pfsense + haproxy (https://github.com/stavros-k/docs/blob/ ... y/3-sni.md) but if possible would like to avoid spinning an extra VM for now.

Everything I google on SNI is about people blocking users from accessing servers and I wonder if there's a simple way to do this.

I already have one server forwarding HTTPS (443) to one local box and the other local box using 9443 externally but without a proxy I'm forced to use Cloudflare SRV records to have a mydomain.com:9443 URL secured with TLS

Thanks in advance!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Possible on Mikrotik : multiple domains to multiple local servers using SNI

Sat Aug 13, 2022 3:55 am

Are all the others who use reverse proxies stupid, then?

When the SNI information arrives, the connection is already established and cannot be NATed elsewhere.
 
DaSnipe
just joined
Topic Author
Posts: 11
Joined: Mon Jan 17, 2022 5:00 am
Location: Montreal, QC, Canada
Contact:

Re: Possible on Mikrotik : multiple domains to multiple local servers using SNI

Sat Aug 13, 2022 4:09 am

Are all the others who use reverse proxies stupid, then?

When the SNI information arrives, the connection is already established and cannot be NATed elsewhere.
Maybe I miswrote that section, I meant my Google search basically shows people trying to block outbound traffic using SNI, not inbound, and nothing on reverse proxies on mikrotik.

If it's not possible it's fine just would be cool
 
DaSnipe
just joined
Topic Author
Posts: 11
Joined: Mon Jan 17, 2022 5:00 am
Location: Montreal, QC, Canada
Contact:

Re: Possible on Mikrotik : multiple domains to multiple local servers using SNI

Sat Aug 13, 2022 4:20 am

Maybe a better solution is using haproxy inside a Container, there's docker containers for what I need
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Possible on Mikrotik : multiple domains to multiple local servers using SNI

Sat Aug 13, 2022 9:42 am

... people trying to block outbound traffic using SNI, not inbound, and nothing on reverse proxies on mikrotik.

Breaking connection works (as long as SNI is used, HTTP/2 is getting rid of SNI in unencrypted form as we know it today) because connection can be broken at any stage, even when content is already being delivered. But forwarding connection to correct backend server on TCP level (which is what ROS firewall does) has to be done for every single packet and TCP exchanges a few packets before SNI happens.

So no, it's not possible unless one uses proper L7 solution - reverse proxy. Whether it's run on router (inside container) or on dedicated box, that's up to admin.
Just a word of caution: RP will terminate all TLS towards clients ... if backend servers use TLS then it will be independent security sessions between RP and backend server. And terminating TLS means quite a lot of CPU effort to encrypt/decrypt communication (compared to plain HTTP which is easy on server's CPU). I'm sure RBs will be able to do it for a few tens of Mbps (at expense of routing performance!), but not much more. It takes one modern x86-64 CPU core to handle 100Mbps of TLS by HAproxy (so if target is 500Mbps, one needs 5 such cores). Decent amount of RAM comes handy if one configures caching on RP, it can help with slower backends.
IMO better solution is to use one of existing backend servers as RP ... and this even works if other backends are behind other NAT firewalls, RP can connect to non-standard ports (but not needed in OP's case as per topic title).
 
DaSnipe
just joined
Topic Author
Posts: 11
Joined: Mon Jan 17, 2022 5:00 am
Location: Montreal, QC, Canada
Contact:

Re: Possible on Mikrotik : multiple domains to multiple local servers using SNI

Sat Aug 13, 2022 7:03 pm

Thanks @mkx you might be right. I’ve gotten haProxy to work inside a Container but it’s slowing down my Rb5009. Might be a config issue also but we’ll see. I’m not asking too much for my small homelab but I might have to spin up a VM and just run it there

Who is online

Users browsing this forum: BioMax, reinerotto and 34 guests