How do I route HTTPS encrypted packets without decrypting it?

nginx proxy

This can be achieved by using the nginx ngx_stream_ssl_preread_module. Here's an example configuration:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

stream {
    upstream server1 {
        server 192.0.2.125:443;
    }

    upstream server2 {
        server 192.0.2.126:443;
    }

    map $ssl_preread_server_name $upstream {
        hostnames;
        .server1.example.com server1;
        .server2.example.com server2;
    }

    server {
        listen 443;
        listen [::]:443;

        ssl_preread on;
        proxy_pass $upstream;
    }
}

The upstream directive is used to define the server to send traffic to. Then the map $ssl_preread_server_name allows nginx to read the SNI value of the request from the client to properly direct traffic to the right upstream box.

This will ONLY work, if the client sends a valid SNI value. This also allows the use of client-certificates for authentication since the TLS connection isn't completed until AFTER nginx sends the traffic to the remote end-point.

Related

Nationality as mass noun
What does "in spades" mean? [closed]
Why do we brew beer but make wine?
What word type is "before" when used as in this example?
Contractions in odd Places [duplicate]
Alternatives to the common construction "didn't used to"
Single Markers Used For Punctuation of Plurals
What's the difference between adjuncts and modifiers?
"My own hometown" vs "My hometown"
More formal word for the chronic state of being in a snit [duplicate]
Hypernym for "restaurant", "cafe" and other food places
Her name is or her name was? [closed]