Today, I will demonstrate how to set up a reverse proxy in OpenResty Edge for TLS connections with SNI extension. Edge servers will listen to port 4003 to proxy requests to google.com or ebay.com based on the SNI Name of requests.

Embeded image

Create an SNI proxy application

Let’s go to the OpenResty Edge’s Admin web console. It is our sample deployment of the console. Every user has her local deployment.

Screenshot

We are going to create an application of type stream.

Select the stream application list page.

Screenshot

Create a new application.

Screenshot

We see two types of stream applications: SNI Proxy and TCP.

Screenshot

Our topic today is the type SNI Proxy selected by default.

Screenshot

TCP applications will get covered in another tutorial.

Screenshot

Enter “www.google.com” as Domain.

Screenshot

In this video, we want to handle requests with different SNI names. Therefore we need multiple domains.

Click this button to add a second domain name: www.ebay.com.

Screenshot

Screenshot

Create this application.

Screenshot

Create an upstream and a page rule for the application

Go to the upstream page.

Screenshot

Create a new upstream.

Screenshot

We give this upstream a name, say, “google”.

Screenshot

Here we enter the hostname of google.

Screenshot

Enter port number 443.

Screenshot

Click to save this upstream.

Screenshot

Now let’s create the second upstream.

Screenshot

And name this upstream “eBay”.

Screenshot

Here we enter the hostname of eBay.

Screenshot

Enter port number 443.

Screenshot

Click to save this upstream.

Screenshot

We can see these two upstreams, “google” and “eBay” are already there.

Screenshot

Now let’s create page rules to make use of these upstreams.

Screenshot

Create the first page rule.

Screenshot

For this page rule, we need to specify a condition.

Screenshot

Here we can choose the variable name of the condition.

Screenshot

We will choose which upstream to proxy based on the SNI name of requests, so the variable name should be SNI Server Name.

Search for SNI.

Screenshot

And select SNI Server Name.

Screenshot

Keep the selection String= for operator unchanged.

Screenshot

The type of the value should be String.

Screenshot

Enter “www.google.com” as the value.

Screenshot

Let’s add a proxy target here.

Screenshot

Select the first upstream that we just created.

Screenshot

Screenshot

There are several Balancing policies to choose from.

Screenshot

Our upstream has only one server. So the balancing policy does not matter here.

Screenshot

We’d just keep the default round-robin policy.

Screenshot

Access to this upstream is across the public network. Therefore we set all timeout values to 60 seconds.

Screenshot

Create this page rule.

Screenshot

Now let’s create another page rule.

Screenshot

Specify a condition for this rule.

Screenshot

The variable name of the condition is still SNI Server Name.

Screenshot

Screenshot

Screenshot

Enter “www.ebay.com” as value.

Screenshot

Add a proxy target here.

Screenshot

Select the second upstream that we just created.

Screenshot

Screenshot

Changed all timeout values to 60 seconds.

Screenshot

Create this page rule.

Screenshot

The proxy page rules exist already on the page rule list.

Screenshot

The last step is to make a new configuration release. It will push out our pending changes to all our gateway servers.

Screenshot

Let’s click on this button to make a new release.

Screenshot

Ship it.

Screenshot

Now it is fully synchronized. As we can see, this sample deployment has 14 servers in the gateway network.

Screenshot

We do incremental config synchronization across the whole network.

Embeded video

Embeded video

Embeded video

We live-update config on the request level. None of the application-level configuration changes require server reload, restart, or binary upgrade. So it is very scalable even when you have many different users making frequent releases.

Embeded image

As shown in this picture, we use 4003 as a port. Let’s add this port to the partition of this application first.

Embeded image

We need to go to the gateway partition page first.

Screenshot

Open the Gateway Partitions page. We are now on the partitions list page. Many partitions are already there.

Screenshot

We will add a port of SNI Proxy type to the partition “default”.

Screenshot

Click this button.

Screenshot

Click the button to add ports.

Screenshot

We see that a new line has been added to the list.

Screenshot

Enter 4003 as the port number.

Screenshot

Click to select Type SNI Proxy.

Screenshot

Save it.

Screenshot

You can see that the new port has been successfully added to the default partition.

Screenshot

Close this panel.

Screenshot

Test the SNI proxy application

Now let’s go to the gateway clusters page and select an Edge server to do the test.

Screenshot

We have a node in the United States with an IP address ending with .84.

Screenshot

We will test the page rules that we added using this server.

We send a curl request with the SNI name www.google.com.

1
curl -I --resolve www.google.com:4003:3.131.85.84 https://www.google.com:4003

Screenshot

As you can see, the server is google. That means the page rule that we just added works. The request with the SNI Name “www.google.com” is proxied to the correct upstream.

Screenshot

Now let’s send another curl request with the SNI name www.ebay.com.

1
curl -I --resolve www.ebay.com:4003:3.131.85.84 https://www.ebay.com:4003

Screenshot

We see that the server is ebay. Page rule works.

Screenshot

Now let’s do the test using the browser. First, we see the hosts binding on the machine.

1
cat /etc/hosts

Screenshot

We can see hosts bind correctly.

Screenshot

Then Visit google using the browser.

Screenshot

Visit eBay.

Screenshot

What is OpenResty Edge

OpenResty Edge is our all-in-one gateway software for microservices and distributed traffic architectures. It combines traffic management, private CDN construction, API gateway, security, and more to help you easily build, manage, and protect modern applications. OpenResty Edge delivers industry-leading performance and scalability to meet the demanding needs of high concurrency, high load scenarios. It supports scheduling containerized application traffic such as K8s and manages massive domains, making it easy to meet the needs of large websites and complex applications.

If you like this tutorial, please subscribe to this blog site and/or our YouTube channel. Thank you!

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.