SSL Preread#

Enables extracting information from the ClientHello message without terminating TLS, such as the server name requested via SNI or protocols advertised in ALPN.

When building from the source code, this module isn't built by default; it should be enabled with the ‑‑with‑stream_ssl_preread_module build option.

In packages and images from our repos, the module is included in the build.

Configuration Example#

Selecting an upstream by server name#

map $ssl_preread_server_name $name {
    backend.example.com      backend;
    default                  backend2;
}

upstream backend {
    server 192.168.0.1:12345;
    server 192.168.0.2:12345;
}

upstream backend2 {
    server 192.168.0.3:12345;
    server 192.168.0.4:12345;
}

server {
    listen      12346;
    proxy_pass  $name;
    ssl_preread on;
}

Selecting a server by protocol#

map $ssl_preread_alpn_protocols $proxy {
    ~\bh2\b           127.0.0.1:8001;
    ~\bhttp/1.1\b     127.0.0.1:8002;
    ~\bxmpp-client\b  127.0.0.1:8003;
}

server {
    listen      9000;
    proxy_pass  $proxy;
    ssl_preread on;
}

Selecting a server by SSL protocol version#

map $ssl_preread_protocol $upstream {
    ""        ssh.example.com:22;
    "TLSv1.2" new.example.com:443;
    default   tls.example.com:443;
}

# ssh and https at the same port
server {
    listen      192.168.0.1:443;
    proxy_pass  $upstream;
    ssl_preread on;
}

Directives#

ssl_preread#

Syntax

ssl_preread on | off;

Default

ssl_preread off;

Context

stream, server

Enables extracting information from the ClientHello message at the preread phase.

Built-in Variables#

$ssl_preread_protocol#

Highest SSL protocol version supported by the client.

$ssl_preread_server_name#

Server name requested via SNI.

$ssl_preread_alpn_protocols#

List of protocols advertised by the client through ALPN. The values are comma separated.