TCP proxy with SNI support

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TCP proxy with SNI support

vergil
Hello,

I have a single server with one Public IP and 10 domains. For each domain
I’d like to have a separate docker container as an email server (Postfix +
Dovecot). I’d like to achieve this with transparent TCP proxy with SNI
support.

I'd like to route traffic from example.com on ports 587 & 143 to one
container and traffic for acme.com on ports 587 & 143 to a different
container, etc.

Should ports 587 & 143 be changed to 465 & 993 instead to achieve this?

Can I achieve this by using host:port? Does anyone know of an example?

Thank you.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288761,288761#msg-288761

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: TCP proxy with SNI support

Francis Daly
On Sun, Jul 19, 2020 at 07:39:55AM -0400, bitquest25c wrote:

Hi there,

> I have a single server with one Public IP and 10 domains. For each domain
> I’d like to have a separate docker container as an email server (Postfix +
> Dovecot). I’d like to achieve this with transparent TCP proxy with SNI
> support.
>
> I'd like to route traffic from example.com on ports 587 & 143 to one
> container and traffic for acme.com on ports 587 & 143 to a different
> container, etc.

Does the first example configuration at
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html show
what you want?

And if not -- how will your tcp proxy know that some traffic to
your-ip:your-port is intended for one.example.com instead of for
two.example.com?

> Should ports 587 & 143 be changed to 465 & 993 instead to achieve this?

It sounds like you want your clients to speak protocol-over-ssl, using
SNI. So you will want probably want smtps-on-465 and imaps-on-993, yes.

So long as you control the clients, and can require them to use your
configuration (SNI and these ports), it should work,

In this design, nginx is not doing SSL-termination; each individual
upstream service will do that.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx