Skip to content

Instantly share code, notes, and snippets.

@wen-long

wen-long/sniproxy.md

Forked from pjamar/sniproxy.md
Created January 8, 2018 16:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save wen-long/b55a685824e739cf30f7ea05da518214 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save wen-long/b55a685824e739cf30f7ea05da518214 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @pjamar pjamar created this gist Jan 7, 2016.
    140 changes: 140 additions & 0 deletions sniproxy.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,140 @@
    <h1 id="sni-proxy-for-sharing-an-ssl-port-443-with-sandstorm">SNI Proxy for sharing an SSL port 443 with Sandstorm</h1>

    <p>Make <em>Sandstorm</em> and other web server coexist in the same port while keeping HTTPS encryption.</p>

    <h2 id="introduction">Introduction</h2>

    <p>The purpose of this tutorial is to set up <em>SNI Proxy</em> so it’s possible to use <em>Sandstorm</em> verified SSL encryption while coexisting with another web server that also uses SSL.</p>

    <p>The main reason is to allow other users to connect with your Sandstorm instance in the standard HTTPS port (443) and keep using that port also for any other web apps.</p>

    <p>I assume the server is running Debian Linux or one of its derivatives (e.g. Ubuntu). Note that there will be some down time in this process so you might want to do it when there is less activity on your server.</p>

    <h2 id="install-sni-proxy">Install SNI Proxy</h2>

    <p>If you’re lucky the package <em>sniproxy</em> might be present on your linux distro otherwise you’ll hace to install it yourself. In my case (Ubuntu 10.04 I had to do it manually). Follow the instructions on <a href="https://github.com/dlundquist/sniproxy">https://github.com/dlundquist/sniproxy</a> to create the Debian package and install it.</p>

    <p>In my case I had to do the following:</p>

    <pre class="prettyprint"><code class="language-bash hljs "><span class="hljs-comment"># Install required packages</span>
    <span class="hljs-built_in">sudo</span> apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot git

    <span class="hljs-comment"># Clone SNI Proxy repo from Github </span>
    git clone https://github.com/dlundquist/sniproxy.git

    <span class="hljs-comment"># Compile and create the package</span>
    <span class="hljs-built_in">cd</span> sniproxy
    ./autogen.sh &amp;&amp; dpkg-buildpackage

    <span class="hljs-comment"># Install the package</span>
    <span class="hljs-built_in">sudo</span> dpkg -i ../sniproxy_&lt;version&gt;_&lt;arch&gt;.deb</code></pre>



    <h2 id="setting-it-up">Setting it up</h2>

    <p>We’ ll be using SNI Proxy to listen for the standard HTTPS port (443) and make it process the domain name. If it’s a Sandstorm domain (ends in .sandcats.io) it will forward the request to Sandstorm on port 9687. In any other case it’ll forward the request to the web server you already had which switched from listening on port 443 to port 9686.</p>

    <p>The ports for Sandstorm and the web server are arbitrary, you can set the ones that work for you in case you have a collision with another service you’re running. It should work as long as you’re being consistent in replacing my choices over the web server, Sandstorm and SNI Proxy configurations.</p>

    <div class="flow-chart"><svg height="653.70703125" version="1.1" width="508.43359375" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" style="overflow: hidden; position: relative; top: -0.625px;"><desc style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Created with Raphaël 2.1.2</desc><defs style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><path stroke-linecap="round" d="M5,0 0,2.5 5,5z" id="raphael-marker-block" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></path><marker id="raphael-marker-endblock33-obj58" markerHeight="3" markerWidth="3" orient="auto" refX="1.5" refY="1.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#raphael-marker-block" transform="rotate(180 1.5 1.5) scale(0.6,0.6)" stroke-width="1.6667" fill="black" stroke="none" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></use></marker><marker id="raphael-marker-endblock33-obj59" markerHeight="3" markerWidth="3" orient="auto" refX="1.5" refY="1.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#raphael-marker-block" transform="rotate(180 1.5 1.5) scale(0.6,0.6)" stroke-width="1.6667" fill="black" stroke="none" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></use></marker><marker id="raphael-marker-endblock33-obj60" markerHeight="3" markerWidth="3" orient="auto" refX="1.5" refY="1.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#raphael-marker-block" transform="rotate(180 1.5 1.5) scale(0.6,0.6)" stroke-width="1.6667" fill="black" stroke="none" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></use></marker><marker id="raphael-marker-endblock33-obj62" markerHeight="3" markerWidth="3" orient="auto" refX="1.5" refY="1.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#raphael-marker-block" transform="rotate(180 1.5 1.5) scale(0.6,0.6)" stroke-width="1.6667" fill="black" stroke="none" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></use></marker><marker id="raphael-marker-endblock33-obj64" markerHeight="3" markerWidth="3" orient="auto" refX="1.5" refY="1.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#raphael-marker-block" transform="rotate(180 1.5 1.5) scale(0.6,0.6)" stroke-width="1.6667" fill="black" stroke="none" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></use></marker><marker id="raphael-marker-endblock33-obj65" markerHeight="3" markerWidth="3" orient="auto" refX="1.5" refY="1.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#raphael-marker-block" transform="rotate(180 1.5 1.5) scale(0.6,0.6)" stroke-width="1.6667" fill="black" stroke="none" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></use></marker></defs><rect x="0" y="0" width="94.21875" height="39" rx="20" ry="20" fill="#ffffff" stroke="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);" stroke-width="2" class="flowchart" id="st" transform="matrix(1,0,0,1,74.793,43.4512)"></rect><text x="10" y="19.5" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="stt" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,74.793,43.4512)"><tspan dy="5.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">TLS request</tspan><tspan dy="18" x="10" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></tspan></text><rect x="0" y="0" width="144.59375" height="39" rx="0" ry="0" fill="#ffffff" stroke="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);" stroke-width="2" class="flowchart" id="op" transform="matrix(1,0,0,1,49.6055,175.9023)"></rect><text x="10" y="19.5" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="opt" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,49.6055,175.9023)"><tspan dy="5.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">SNI Proxy (port 443)</tspan></text><path fill="#ffffff" stroke="#000000" d="M58.951171875,29.4755859375L0,58.951171875L117.90234375,117.90234375L235.8046875,58.951171875L117.90234375,0L0,58.951171875" stroke-width="2" font-family="sans-serif" font-weight="normal" id="cond" class="flowchart" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;" transform="matrix(1,0,0,1,4,268.9023)"></path><text x="63.951171875" y="58.951171875" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="condt" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,4,268.9023)"><tspan dy="5.513671875" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Sandstorm domain?</tspan><tspan dy="18" x="63.951171875" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></tspan></text><rect x="0" y="0" width="161.328125" height="39" rx="0" ry="0" fill="#ffffff" stroke="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);" stroke-width="2" class="flowchart" id="opsand" transform="matrix(1,0,0,1,41.2383,480.2559)"></rect><text x="10" y="19.5" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="opsandt" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,41.2383,480.2559)"><tspan dy="5.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Forward to Sandstorm</tspan></text><rect x="0" y="0" width="216.28125" height="39" rx="0" ry="0" fill="#ffffff" stroke="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);" stroke-width="2" class="flowchart" id="opsandproc" transform="matrix(1,0,0,1,13.7617,612.707)"></rect><text x="10" y="19.5" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="opsandproct" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,13.7617,612.707)"><tspan dy="5.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Sandstorm daemon (port 9687)</tspan></text><rect x="0" y="0" width="160.125" height="39" rx="0" ry="0" fill="#ffffff" stroke="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);" stroke-width="2" class="flowchart" id="opweb" transform="matrix(1,0,0,1,331.6445,308.3535)"></rect><text x="10" y="19.5" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="opwebt" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,331.6445,308.3535)"><tspan dy="5.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">Forward to web server</tspan><tspan dy="18" x="10" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></tspan></text><rect x="0" y="0" width="189.453125" height="39" rx="0" ry="0" fill="#ffffff" stroke="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);" stroke-width="2" class="flowchart" id="opwebproc" transform="matrix(1,0,0,1,316.9805,440.8047)"></rect><text x="10" y="19.5" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" id="opwebproct" class="flowchartt" font-weight="normal" transform="matrix(1,0,0,1,316.9805,440.8047)"><tspan dy="5.5" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">HTTPS daemon (port 9686)</tspan><tspan dy="18" x="10" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></tspan></text><path fill="none" stroke="#000000" d="M121.90234375,82.451171875C121.90234375,82.451171875,121.90234375,156.90331953018904,121.90234375,172.89889812798356" stroke-width="2" marker-end="url(#raphael-marker-endblock33-obj58)" font-family="sans-serif" font-weight="normal" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;"></path><path fill="none" stroke="#000000" d="M121.90234375,214.90234375C121.90234375,214.90234375,121.90234375,254.55644369125366,121.90234375,265.90278283460066" stroke-width="2" marker-end="url(#raphael-marker-endblock33-obj59)" font-family="sans-serif" font-weight="normal" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;"></path><path fill="none" stroke="#000000" d="M121.90234375,386.8046875C121.90234375,386.8046875,121.90234375,461.25683515518904,121.90234375,477.25241375298356" stroke-width="2" marker-end="url(#raphael-marker-endblock33-obj60)" font-family="sans-serif" font-weight="normal" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;"></path><text x="126.90234375" y="396.8046875" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" font-weight="normal"><tspan dy="5.5078125" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">yes</tspan></text><path fill="none" stroke="#000000" d="M239.8046875,327.853515625C239.8046875,327.853515625,312.81307860836387,327.853515625,328.64106964943494,327.853515625" stroke-width="2" marker-end="url(#raphael-marker-endblock33-obj62)" font-family="sans-serif" font-weight="normal" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;"></path><text x="244.8046875" y="317.853515625" text-anchor="start" font-family="sans-serif" font-size="14px" stroke="none" fill="#000000" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); text-anchor: start; font-family: sans-serif; font-size: 14px; font-weight: normal;" font-weight="normal"><tspan dy="5.509765625" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">no</tspan></text><path fill="none" stroke="#000000" d="M121.90234375,519.255859375C121.90234375,519.255859375,121.90234375,593.708007030189,121.90234375,609.7035856279836" stroke-width="2" marker-end="url(#raphael-marker-endblock33-obj64)" font-family="sans-serif" font-weight="normal" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;"></path><path fill="none" stroke="#000000" d="M411.70703125,347.353515625C411.70703125,347.353515625,411.70703125,421.80566328018904,411.70703125,437.80124187798356" stroke-width="2" marker-end="url(#raphael-marker-endblock33-obj65)" font-family="sans-serif" font-weight="normal" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0); font-family: sans-serif; font-weight: normal;"></path></svg></div>

    <h2 id="setting-up-sni-proxy">Setting up SNI Proxy</h2>

    <p>We’ll set <em>sniproxy</em> to forward Sandstorm domains to the Sandstorm instance and to send any other request to the web server. We’ll disable HTTP proxy on <em>sniproxy</em> as there is no need for the HTTP requests to go through it.</p>

    <h3 id="configuration">Configuration</h3>

    <pre class="prettyprint"><code class="language-bash hljs "><span class="hljs-built_in">sudo</span> vi /etc/sniproxy.conf</code></pre>

    <p>/etc/sniproxy.conf contents:</p>



    <pre class="prettyprint"><code class=" hljs vala"><span class="hljs-preprocessor"># sniproxy.conf</span>
    <span class="hljs-preprocessor"># Setup for sharing port 443 with Sandstorm</span>

    user daemon
    pidfile /<span class="hljs-keyword">var</span>/run/sniproxy.pid

    error_log {
    syslog daemon
    priority notice
    }

    listen <span class="hljs-number">443</span> {
    proto tls
    table https_hosts
    fallback <span class="hljs-number">127.0</span><span class="hljs-number">.0</span><span class="hljs-number">.1</span>:<span class="hljs-number">9686</span>

    access_log {
    filename /<span class="hljs-keyword">var</span>/log/sniproxy/https_access.log
    priority notice
    }
    }

    table https_hosts {
    .*\.sandcats\.io <span class="hljs-number">127.0</span><span class="hljs-number">.0</span><span class="hljs-number">.1</span>:<span class="hljs-number">9687</span>
    }</code></pre>



    <h3 id="startup">Startup</h3>

    <p>We’ll have to ensure SNI Proxy starts when rebooted. For that we’ll need to ensure is enabled in <code>/etc/default/sniproxy</code> (<code>ENABLED=1</code>) and also that will automatically start on boot up using the following command:</p>



    <pre class="prettyprint"><code class="language-bash hljs "><span class="hljs-built_in">sudo</span> update-rc.d sniproxy enable</code></pre>



    <h2 id="setting-up-sandstorm">Setting up Sandstorm</h2>

    <p>Enabling SSL support on Sandstorm is out of the scope of this tutorial. If you don’t have it setup yet head to the official documentation (<a href="https://docs.sandstorm.io/en/latest/administering/ssl/">https://docs.sandstorm.io/en/latest/administering/ssl/</a>).</p>

    <p>The only thing we need to tweak is setting the port to the one the SNI Proxy is forwarding the requests to (9687 in these examples) and keep (or make depending on your current setup) the URLs on port 443 (the standard, so no :443 at the end). We’ll assume you have a <code>alias.sandcats.io</code> as your Sandstorm address in the configuration example.</p>



    <pre class="prettyprint"><code class="language-bash hljs "><span class="hljs-built_in">sudo</span> vi /opt/sandstorm/sandstorm.conf</code></pre>

    <p>Relevant contents of <code>/opt/sandstorm/sandstorm.conf</code>:</p>

    <pre class="prettyprint"><code class=" hljs avrasm"><span class="hljs-preprocessor"># Bind localhost to avoid anyone connecting directly to Sandstorm</span>
    BIND_IP=<span class="hljs-number">127.0</span><span class="hljs-number">.0</span><span class="hljs-number">.1</span>
    <span class="hljs-preprocessor"># No ports here, standard HTTPS (port 443)</span>
    BASE_URL=https://alias<span class="hljs-preprocessor">.sandcats</span><span class="hljs-preprocessor">.io</span>
    WILDCARD_HOST=*<span class="hljs-preprocessor">.alias</span><span class="hljs-preprocessor">.sandcats</span><span class="hljs-preprocessor">.io</span>
    <span class="hljs-preprocessor"># This is the port SNI Proxy will connect to</span>
    HTTPS_PORT=<span class="hljs-number">9687</span></code></pre>



    <h2 id="setting-up-your-current-web-server">Setting up your current web server</h2>

    <p>This will depend on the server you have. Remember the accesable URLs will still use the standard HTTPS port, this change is only made to allow the SNI Proxy to sit in the middle.</p>

    <p>I’m using Nginx and I could change all the configuration files using <code>sed</code> to replace 443 for 9686. What I did is:</p>

    <pre class="prettyprint"><code class="language-bash hljs "><span class="hljs-built_in">sudo</span> sed -ri <span class="hljs-string">'s/443/9686/g'</span> /etc/nginx/sites-available/*</code></pre>

    <p>Keep in mind this might not work for you if you’re using ‘443’ anywhere in the configurarion files that is not to refer the port.</p>



    <h2 id="final-steps-put-it-to-work">Final steps, put it to work</h2>

    <p>Now is the time to see if it worked. Shutdown your web server and Sandstorm and start them again. Start sniproxy as well.</p>

    <pre class="prettyprint"><code class="language-bash hljs "><span class="hljs-built_in">sudo</span> service nginx stop
    <span class="hljs-built_in">sudo</span> service sandstorm stop
    <span class="hljs-built_in">sudo</span> service sniproxy start
    <span class="hljs-built_in">sudo</span> service sandstorm start
    <span class="hljs-built_in">sudo</span> service nginx start</code></pre>

    <p>Now you can test by trying to get to your Sandstorm instance using <code>https://alias.sandcats.io</code> (put your alias) and also test that any other https service you had before works (something like <code>https://service.yourdomain.com</code>).</p>

    <blockquote>
    <p>Written with <a href="https://stackedit.io/">StackEdit</a>.</p>
    </blockquote>