Comment by MadnessASAP

3 days ago

Unfortunately I think that falls under the "Not a bug" category of bugs. Keeping the endpoint concealed all the way to the TLS endpoint is a feature* of HTTP/3.

* I do actually consider it a feature, but do acknowledge https://xkcd.com/1172/

PS. HAProxy can proxy raw TLS, but can't direct based on hostname. Cloudflare tunnel I think has some special sauce that can proxy on hostname without terminating TLS but requires using them as your DNS provider.

2 comments

MadnessASAP

dgl 3 days ago

Unless you're using ECH (encrypted client helo) the endpoint is obscured (known keys), not concealed.

PS: HAProxy definitely can do this too, something using req.ssl_sni like this:

   frontend tcp-https-plain
       mode tcp
       tcp-request inspect-delay 10s
       bind [::]:443 v4v6 tfo
       acl clienthello req.ssl_hello_type 1
       acl example.com req.ssl_sni,lower,word(-1,.,2) example.com
       tcp-request content accept if clienthello
       tcp-request content reject if !clienthello
       default_backend tcp-https-default-proxy
       use_backend tcp-https-example-proxy if example.com

Then tcp-https-example-proxy is a backend which forwards to a server listening for HTTPS (and using send-proxy-v2, so the client IP is kept). Cloudflare really isn't doing anything special here; there are also other tools like sniproxy[1] which can intercept based on SNI (a common thing commerical proxies do for filtering reasons).

[1]: https://github.com/ameshkov/sniproxy

MadnessASAP 2 days ago

Neat! Thank you very much for the information.