basic nginx stream setup working with ECH front-end

sftcd · May 12, 2023 · 4ead0b3 · 4ead0b3
1 parent 60253a0
commit 4ead0b3
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 10 deletions.
diff --git a/esnistuff/nginx-split.conf b/esnistuff/nginx-split.conf
@@ -18,10 +18,10 @@ events {
 
 
 http {
-    access_log           fe/logs/access.log combined;
-    ssl_echkeydir        echkeydir;
+    access_log          fe/logs/access.log combined;
+    ssl_echkeydir       echkeydir;
     server {
-        listen              9443 default_server ssl;
+        listen              9442 default_server ssl;
         ssl_certificate     cadir/example.com.crt;
         ssl_certificate_key cadir/example.com.priv;
         ssl_protocols       TLSv1.3;
@@ -33,3 +33,25 @@ http {
     }
 }
 
+stream {
+    map $ssl_preread_server_name $targetBackend {
+        foo.example.com  127.0.0.1:9444;
+        example.com  127.0.0.1:9442;
+    }
+
+    log_format basic '$remote_addr [$time_local] '
+                 '$protocol $status $bytes_sent $bytes_received '
+                 '$session_time "$upstream_addr" '
+                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+    access_log fe/logs/access.log basic;
+    error_log  fe/logs/error.log;
+    server {
+        listen              9443;
+        proxy_connect_timeout 1s;
+        proxy_timeout 3s;
+        proxy_pass $targetBackend;
+        ssl_preread on;
+    }
+}
+
diff --git a/esnistuff/nginx.md b/esnistuff/nginx.md
@@ -19,11 +19,14 @@ and these other resources:
 
 1st thing seems to be to confgure build using ``--with-stream`` - that seems to work fine:
 
-            $ ./auto/configure --with-debug --prefix=nginx --with-http_ssl_module --with-stream --with-openssl=$HOME/code/openssl-for-nginx  --with-openssl-opt="--debug"
+            $ ./auto/configure --with-debug --prefix=nginx --with-http_ssl_module --with-stream --with-stream_ssl_preread_module --with-openssl=$HOME/code/openssl-for-nginx-draft-13  --with-openssl-opt="--debug"
 
 Next is to setup test front-end and back-end using the ``testnginx-split.sh``
-script.  That runs nginx listening on port 9443 as the ECH-enabled front-end
-and lighttpd listening on 9444 as the ECH-aware back-end. 
+script.
+
+This setup runs nginx listening on port 9442 for de-muxing, with nginx on 9443
+as the ECH-enabled front-end and lighttpd listening on 9444 as the ECH-aware
+back-end. 
 
 ECH-enabled meaning an ECH key pair is loaded, and ECH-aware meaning able to
 calculate the right ServerHello.random ECH signal when it sees an "inner" ECH
@@ -32,20 +35,39 @@ As of now, there is no protection at all between the front-end and back-end.
 (Actually, we've even yet to configure the stream proxying setup on the
 front-end at all:-)
 
+The front-end
+
 To start servers:
 
             $ ./testnginx-split.sh
 
 Initial tests without ECH:
 
-- Read index from DocRoot of front-end:
+- Read index direct from DocRoot of front-end:
 
-            $ curl  --connect-to example.com:443:localhost:9443 https://example.com/index.html --cacert cadir/oe.csr
+            $ curl  --connect-to example.com:443:localhost:9442 https://example.com/index.html --cacert cadir/oe.csr
 
-- Read index from DocRoot of back-end:
+- Read index direct from DocRoot of back-end:
 
             $ curl  --connect-to foo.example.com:443:localhost:9444 https://foo.example.com/index.html --cacert cadir/oe.csr
 
+- Read back-end index via front-end:
+
+            $ curl  --connect-to foo.example.com:443:localhost:9443 https://foo.example.com/index.html --cacert cadir/oe.csr
+
+- Read front-end index via front-end:
+
+            $ curl  --connect-to example.com:443:localhost:9443 https://example.com/index.html --cacert cadir/oe.csr
+
+- Run ECH against front-end as target:
+
+            $ ./echcli.sh -H example.com -s localhost -p 9443 -P d13.pem
+            Running ./echcli.sh at 20230512-234329
+            ./echcli.sh Summary: 
+            Looks like ECH worked ok
+            ECH: success: outer SNI: 'example.com', inner SNI: 'example.com'
+            $
+
 - Kill servers:
 
             $ killall nginx lighttpd

diff --git a/esnistuff/testnginx-split.sh b/esnistuff/testnginx-split.sh
@@ -7,7 +7,7 @@
 # base build dir
 : ${OSSL:="$HOME/code/openssl"}
 # nginx build dir
-: ${NGINXH:=$HOME/code/nginx-draft-13}
+: ${NGINXH:=$HOME/code/nginx}
 # backend web server - lighttpd for now - can be any ECH-aware server
 : ${LIGHTY:="$HOME/code/lighttpd1.4"}