[Question] Is it possible to put Cloak behind some l4 proxy?

[Unb0rn]

I wonder if it's possible to share the outbound 443 port with other services by using something like L4 proxy with SNI (Let's say HAProxy)? Does Cloak respect proxy-protocol headers? I think neither config files nor issues have any info on it

[archer-v]

It works correctly with haproxy if it's configured as tcp-proxy (not https proxy)

Example of haproxy configuration:

frontend https_in
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # Traffic forwarding to the backend depending on the SNI
    use_backend server1 if { req_ssl_sni -i example1.com }
    use_backend server2 if { req_ssl_sni -i example2.com }

    # default backend if SNI doesn't match anyone
    default_backend cloak

backend server1
    mode tcp
    server server1 localhost:445 check

backend server2
    mode tcp
    server server2 localhost:446 check

backend cloak
    mode tcp
    server cloak localhost:444 check

There no needs of any special configuration to the cloak, just bind it on any other port, for example 444

[nordeep]

@archer-v Thank you for sharing configuration! Unfortunately in this configuration, for me, cloak doesn't redirect to RedirAddr. I couldn't find a solution. Seems SNI parsed by HAProxy and it won't send to cloak.