Server Name Indication (SNI) (Explained by Example)

Рет қаралды 23,681

Hussein Nasser

Күн бұрын

Пікірлер: 51

@efimovta 3 жыл бұрын

Thanks!

@efimovta 3 жыл бұрын

There are so many cool content on the channel. Unbelievable! My first donate in my life starts with it.

@FarazAliZuberi 4 жыл бұрын

Dude you're a legend 😂 hilarious and fun.. keep up the good work.. learnt a lot. Subscribed..

@hnasr 4 жыл бұрын

Thanks Faraz 😊 glad you enjoyed the content and welcome to the community 🙏

@rakeshkala7042 3 жыл бұрын

seriously man, your videos are damn good. Full of technicalities with fun, btw liked your Arabic accent 🤣

@kumarchitta 3 жыл бұрын

Dude, this is awesome 👍 like the way you make it fun and interesting and to the point. Great work my friend.

@luispuentes6392 4 жыл бұрын

This explanation is so nice. Thanks!

@hnasr 4 жыл бұрын

Appreciate it! Thanks

@jackedelic9188 3 жыл бұрын

I never knew about an ip address being able to serve multiple domain names. I just double checked by typing in an existing ip address (instead of its domain name) and got 404. I felt cheated at the end of my 4 year CS education.

@hnasr 3 жыл бұрын

Yup! connecting through IP is not enough for the server as it doesn’t know which domain / website you want.. some Websites might put defaults though

@ritwickdey97 5 жыл бұрын

Hi, how HAProxy knows which cert should to send to the client for "ali", "mark" or "jenny" backend? Does it try to match backend name & cert name?

@hnasr 5 жыл бұрын

Excellent question, during client hello in TLS the client sends the host name it tries to connect. HAProxy takes that host name and match it against each of the three certificate because the certificate has the hostname. And sends the appropriate one that matches. This is called SNI (Server Name Indication)

@ritwickdey97 5 жыл бұрын

@@hnasr Okk. I got it..

@chengdongliao9875 4 жыл бұрын

Thanks for your effort to make this awosome video!

@hnasr 4 жыл бұрын

Chengdong Liao thanks for your comment dear 😊

@abulaith4485 5 жыл бұрын

Wow, great technical video on mutlisite hosting on 1 IP address, even though you confused the hell out of me :-o) LOL

@blypt 4 жыл бұрын

Funny Voice of Dad :) :)

@palaniappanrm6277 4 жыл бұрын

Hi. Few doubts as always. 1. After you did set up everything and made sure all 3 websites working fine with 1 public ip using SNI, now what will happen if I just specify the public ip address in the browser rather than a domain name? Which content it'll return back? 2. ESNI needs public key to be present in the DNS entry. The public key you mention here is the public key of HAProxy server right? If so, what configuration changes required in .cfg file for the same?

@hnasr 4 жыл бұрын

Palaniappan RM i can see your knowledge is growing with every question you ask! Which is awesome For 1) if you only specify ip address the host SNI will be blank and the SNI handshake will fail on the server.. it is up to the server to serve a default certificate when no host is provided..

@hnasr 4 жыл бұрын

Answer for q2) the public key on the DNS has a matching private key on HAProxy.. So the client will do DNS get public key encrypted the SNI do tls hello .. and server will decrypt the SNI and look at the host..

@palaniappanrm6277 4 жыл бұрын

@@hnasr we don't have to do any other configuration in HAProxy config file for this private key decryption during TLS hello to work?

@AhmedAymanElSayed-e1i Жыл бұрын

Thanks for the video. Very informative and fun 😉. I had a question regarding ESNI, when the public is key is used to encrypt the TLS handshake. Which private key will the server use for decryption? Like in your example will it be Ali, Jenny, Mark or a default one?

@HarshKapadia 4 жыл бұрын

For ESNI, how is the public key of the target domain encrypted when it is sent to the server?

@hnasr 4 жыл бұрын

The public key is encrypted as part of the DoH connection between the client and the DNS resolver.

@brod515 4 жыл бұрын

33:14 I'm confused here. if you make a query to the DNS for a particular domain, then it is already visible. anyone can see you making that request. Edit: 😂spoke too soon I see you address it after.

@brod515 4 жыл бұрын

what is the difference between just using NodeJS vs using haproxy (I don't know what haproxy is)?

@AnasLoubadi Жыл бұрын

think of ha proxy as a load balancer that receive request and forward them to backend servers

@asd848 4 жыл бұрын

So this isn't possible without a proxy? You couldn't use SNI, let's say, on a Node server alone?

@hnasr 4 жыл бұрын

Of course if that web server supports SNI, caddy and nginx comes to mind

@MelviHunzaiFamily 4 жыл бұрын

how i can make a sni account or sign up on sni

@hnasr 4 жыл бұрын

safder karim There is no account for SNI, You can just create multiple domains and use the proxy to configure it as I explained in the video

@abdulsamihamedi5584 2 жыл бұрын

can i create smart DNS proxy with this method ?

@shikamigreg5490 4 жыл бұрын

how can i configure this on an android phone?

@hnasr 4 жыл бұрын

this is a pure backend concept, nothing to do in the client except providing the SNI parameter which most SSL libraries do

@shikamigreg5490 4 жыл бұрын

thanks for the reply, can you make a detailed tutorial on how to correctly configure httpinjector ehi files on android phones to bypass isp for free net?

@chebalid7524 4 жыл бұрын

Hey ..nice stuff.. I wanna ask.. Can u instruct haproxy to accept any random sni

@hnasr 4 жыл бұрын

Hmm you can with scripts assuming you have the certificates for each domain requested

@chebalid7524 4 жыл бұрын

@@hnasr Ok.. Let say I have my.website.com hosted and running fine with a certificate generated...and in haproxy I set the host name let's say to www.google.com ...and make sure the client hello will have www.google.com in the host header.. Will the tls connection be established???? Hope u understand what I mean..

@hnasr 4 жыл бұрын

The TLS will fail on client because the certificate verification will fail since my.website is not google.com .. The TLS can be successful if client decided to ignore certificate verification example in curl -insecure or in browsers clicking “I understand the risk”

@chebalid7524 4 жыл бұрын

@@hnasr Wooow.. Thanks . You just made it clear to me..