On 2025-07-07, H. Hartzer <h...@hartzer.sh> wrote: > I'm wondering if relayd supports using hostnames from SNI in TLS > connectons to proxy, but not terminate TLS.
no, it doesn't. it would need to partially terminate TLS to identify the sni (if present) from the clienthello, and then lookup and forward the clienthello to the backend. > Let's say I have a server that needs to proxy to several different > websites, and it is using one IP address. > > openestbsd.org > openerbsd.org > openlybsd.org > > The TLS handshake should show which it's for, and then it can pass on > that connection without having to have those certificates. I think > Cloudflare does this, nginx supports it, and there are some other > options. > > Here's some examples: > > https://gist.github.com/kekru/c09dbab5e78bf76402966b13fa72b9d2 > > https://github.com/vstakhov/sni-proxy > > https://github.com/dlundquist/sniproxy > > Can relayd do this, or another daemon in base? sniproxy is in ports, there's nothing in base. -- Please keep replies on the mailing list.
