SSL Preread#
Enables extracting information from the ClientHello message without terminating SSL/TLS, such as the server name requested via SNI or protocols advertised in ALPN.
When building from the source code,
this module isn't built by default;
it should be enabled with the
‑‑with‑stream_ssl_preread_module
build option.
In packages and images from our repos,
the module is included in the build. Enables extracting information from the ClientHello message at the
preread phase. Highest SSL version supported by the client. Server name requested via SNI. List of protocols advertised by the client through ALPN.
The values are comma separated.Configuration Example#
Selecting an upstream by server name#
map $ssl_preread_server_name $name {
backend.example.com backend;
default backend2;
}
upstream backend {
server 192.168.0.1:12345;
server 192.168.0.2:12345;
}
upstream backend2 {
server 192.168.0.3:12345;
server 192.168.0.4:12345;
}
server {
listen 12346;
proxy_pass $name;
ssl_preread on;
}
Selecting a server by protocol#
map $ssl_preread_alpn_protocols $proxy {
~\bh2\b 127.0.0.1:8001;
~\bhttp/1.1\b 127.0.0.1:8002;
~\bxmpp-client\b 127.0.0.1:8003;
}
server {
listen 9000;
proxy_pass $proxy;
ssl_preread on;
}
Selecting a server by SSL version#
map $ssl_preread_protocol $upstream {
"" ssh.example.com:22;
"TLSv1.2" new.example.com:443;
default tls.example.com:443;
}
# ssh and https at the same port
server {
listen 192.168.0.1:443;
proxy_pass $upstream;
ssl_preread on;
}
Directives#
ssl_preread#
Built-in Variables#
$ssl_preread_protocol#$ssl_preread_server_name#$ssl_preread_alpn_protocols#