I was trying to understand how virtual hosting works with https. Finally landed on this and SNI is the answer :)

Man, I appreciate your vid, the content is good. All the goofing around makes it harder to pay attention to the content however.

Hi Hussein, thank you for your explanation. I just wondering what did the proxy actually do in the middle to pass the traffic to the backend servers without modifying the original packet? or the proxy is keeping modifying the destination address(redirecting the request to backend servers even if the session is ongoing ), but not the SSL handshake?

Are we going to talk about the pro’s/con’s of the different LB connection patterns? You totally spiked my interest!

How ,for layer4 proxy,would reverse proxy passthrough request to appropriate server if server is to be decided based on path(ex location in nginx) and not the host(so SNI doesnt come into picture)?Ex host.com/path1 goes to 1.1.1.1 and host.com/path2 to 2.2.2.2

Old video , new comment: I am doing research in to TLS termination on sites like AWS S3. Is there a moment after TLS termination and before Server Side Encryption that the data is in plaintext in memory on the server? Is this prone to some kind of attack? If at any point the data is unencrypted is a vulnerability, what are your thoughts. I search aws s3 website, they dont talk about this. But they do say that data is encrypted at rest. If data is uploaded using multipart upload (for large files) it has to be decrypted on their side using their ssl private key? Load balances that decrypt the data, often need to pass it to other endpoints and when configured AWS services you can choose to do so without TLS, and the end user will never know. (maybe faster processing, cheaper etc)

I have heard about two approach in the real world, TLS passthrough vs. TLS re-encrypt. What is the use case to apply either side? I still have to understand how to apply when features are available in haproxy.

I have a love-hate relationship with proxies, setting them up properly and taking every possible scenario into account is a pain in the ass. TLS passthrough can also be implemented in forward proxies, as I do with squid proxy. Peeking at SNI in TLS client hello and deciding whether to terminate tls, and to reestablish the connection to a specific endpoint requiring SSL/TLS client certificate authentication. All other sites are then either allowed using TLS passthrough if they are whitelisted, while the rest are terminated. And sure enough, I can see every HTTP requesst on the terminated site, while in TLS passthrough you can only see HTTP CONNECT requests for allowed sites and TCP_DENIED for the discarded ones.

Small doubt. If we have 2 instances running in backend and the reverse proxy does TLS pass through, then it should do some sticky session stuff right so that the TLS connection established between 1 of the backend will be the server always used for the subsequent requests?

❤️

thanks for your video! could your please take a video about envoy proxy and istio? 😊

Super video! I applauded for ₹40.00 👏

Nice ! but TLS passthrough looks like a Layer 7 reverse-proxy (AWS Application Load Balancer or AWS ALB) and TLS termination looks like a layer 4 reverse-proxy (AWS Network load balancer or AWS NLB). But when it comes to looking at the packet, I think both AWS ALB and AWS NLB can see/read the client request. AWS ALB has path based routing, HTTP header based routing, etc., based on which it sends the request to backend server. that way, AWS ALB(Layer 7 LB) can look at the data. And, NLB has an option for TLS termination, so coz of that NLB(layer 4) can also look at the data. Correct me if I'm wrong.

11:01 Actual TL:S passthrough. :)