Mastodawn

What to use to forward SSL connections? #sniproxy tells it's EOLed but is there something else? Or does one need to terminate the SSL connections now?

daud Jun 3, 2025

SniProxy

SniProxy based on dnsmasq and nginx It works like shecan.ir in Iran. SniProxy How to Run ?! Install docker and docker-compose Run with docker-compose up -d Change docker-compose.yml based on your preferences ! I try to update the dnsmasq/proxy.conf file based on the internet status of Iran It could be resource intensive task to serve this dns service to many people so bring a powerhouse I tested on a 2gigs 2 cpus vps and It is OK for me, my family, and friends Also dnsmasq […]

https://whalers.ir/blog/sniproxy/6612/

SniProxy - Alireza Gharib Blog

SniProxy Alireza Gharib Blog From advanced cybersecurity strategies to Unix-based automation and infrastructure solutions, discover tools, tips, and resources for modern IT professionals.

Alireza Gharib Blog

Stuart Longland (VK4MSL)Feb 10, 2025

This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

But… it works, you can hit https://sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

Senioradmin Dec 19, 2023

As of 2023-12-13 #sniproxy is marked as deprecated.

That's a shame, because there is no equivalent replacement. All other reverse proxies (Nginx, HAProxy, Caddy etc.) are significantly more complex, more resource-hungry or less performant.

https://github.com/dlundquist/sniproxy

GitHub - dlundquist/sniproxy: Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. - dlundquist/sniproxy

GitHub

Stuart Longland (VK4MSL)Nov 12, 2023

Just discovered how to get `sniproxy` and `nginx` / `apache2` to play together using HAProxy v1 protocol so that I can see client IPs in my server logs.

It's a bit fiddly to get going, but essentially you add the relevant entries to your `sniproxy` rules with the `proxy_protocol` directive.

At the server end:
- on `nginx`: add `set_real_ip_from <sniproxy_host_ip>` to /etc/nginx/conf.d/realip.conf; add `proxy_protocol` to your IPv4 `listen` directives
- on `apache2`; enable `mod_remoteip.so`, put `RemoteIPProxyProtocol On` and `RemoteIPProxyProotocolExceptions 2001::/4`

What this does:
- IPv6 traffic directly hits the box without `sniproxy`
- IPv4 proxy which presumably is directed at a NAT gateway, goes via SNIProxy, HAProxy header gets added, picked up by your HTTP server and can be used in logs or forwarded to applications (like #Mastodon).

#nginx #apache #sniproxy

Astra Kernel

Jan 3, 2023

SSRF vulnerabilities caused by SNI proxy misconfigurations
https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/

#ssrf #bugbounty #vulnerabilities #sniproxy #infosec

SSRF vulnerabilities caused by SNI proxy misconfigurations | Invicti

Misconfigurations in reverse proxies that use SNI to select backend servers can lead to SSRF vulnerabilities. Invicti security researcher Aleksei Tiurin explores the security implications of SNI proxy misconfigurations.

Invicti