SSL Preread#

Enables extracting information from the ClientHello message without terminating SSL/TLS, such as the server name requested via SNI or protocols advertised in ALPN.

When building from the source code, this module isn't built by default; it should be enabled with the ‑‑with‑stream_ssl_preread_module build option.

In packages and images from our repos, the module is included in the build.

Configuration Example#

Selecting an upstream by server name#

map $ssl_preread_server_name $name {
    backend.example.com      backend;
    default                  backend2;
}

upstream backend {
    server 192.168.0.1:12345;
    server 192.168.0.2:12345;
}

upstream backend2 {
    server 192.168.0.3:12345;
    server 192.168.0.4:12345;
}

server {
    listen      12346;
    proxy_pass  $name;
    ssl_preread on;
}

Selecting a server by protocol#

map $ssl_preread_alpn_protocols $proxy {
    ~\bh2\b           127.0.0.1:8001;
    ~\bhttp/1.1\b     127.0.0.1:8002;
    ~\bxmpp-client\b  127.0.0.1:8003;
}

server {
    listen      9000;
    proxy_pass  $proxy;
    ssl_preread on;
}

Selecting a server by SSL version#

map $ssl_preread_protocol $upstream {
    ""        ssh.example.com:22;
    "TLSv1.2" new.example.com:443;
    default   tls.example.com:443;
}

# ssh and https at the same port
server {
    listen      192.168.0.1:443;
    proxy_pass  $upstream;
    ssl_preread on;
}

Directives#

ssl_preread#

Syntax

ssl_preread on | off;

Default

ssl_preread off;

Context

stream, server

Enables extracting information from the ClientHello message at the preread phase.

Built-in Variables#

$ssl_preread_protocol#

Highest SSL version supported by the client.

$ssl_preread_server_name#

Server name requested via SNI.

$ssl_preread_alpn_protocols#

List of protocols advertised by the client through ALPN. The values are comma separated.