fabio can run a transparent TCP proxy with SNI support which can forward any TLS connection
without re-encrypting the traffic. fabio captures the
ClientHello packet which is the
first packet of the TLS handshake and extracts the server name from the SNI extension and
uses it for finding the upstream server to forward the connection to. It then replays the
ClientHello packet and then transparently forwards all traffic between client and server
as a byte stream.
To enable this feature configure a listener as follows:
to listen to more than 1 port separate with comma’s (like if you want to do tcp and http listening):
fabio -proxy.addr ':9999,:19587;proto=tcp
This will do normal fabio http(s) routing on port 9999 and TCP proxy on port 19587.
and register your services in Consul with a
urlprefix- tag that
matches the host from the SNI extension. If your server responds to
then you should register a
urlprefix-foo.com/ tag for this service. Note that the tag
should only contain
<host>/ since path-based routing is not possible with this approach.