The most practical way of learning you can ever find (also made me laugh 2/3 times lol). I wish a lot of articles, blogs, even documentations where written the way you explain things. :) Cheers.
Thank you for this informative video! I have a question: On webservers and proxy servers there is the option to turn on SNI or off. Is there any reason SNI should be set to false in stead of true when hosting multiple sites? It seems that when you host multiple sites the option should always be true?
I have 2 questions. 1. The one which does SNI resolving can be any web server/proxy like Apache/Nginx/HAProxy ? If so any extra configuration is needed right? 2. During TLS, we use SNI to create a proper symmetric key between browser and server(a.com). Now browser encrypts the content (headers and body) and send it. For the normal subsequent GET request how come the proxy/web server will be able to decrypt the content and see the header to route it to a.com?
For 1, Yes, you can have it be a proxy resolving to multiple other servers For 2, I think it depends on level of proxy. Layer 7 might have those values to decrypt but layer 4 might not
Adding to Udani’s answer and assuming you have a TLS terminating proxy (layer 7) you have to share all SNI certificates of all the upstream/backend serves with the proxy. If so than the proxy decrypts the traffic and encrypts it back on the backend If you don’t want to do that than you use a layer 4 proxy which just forwards client hello to the backend and proxy becomes transparent
@@hnasr can we have a layer 4 LB in this SNI case? Because proxy has to see the Host header to route the traffic in the first place. I thought we can't have a layer 4 LB for SNI at all.
Hi, I have a question, As to what you explained that if I go to an IP address directly I will not be able to get the page as the SNI will be the same as the IP address and the host won't know what to do with it, what will be if I use a header editor like modheader and add an sni of the domain name for that site, would that work?
Hussein, believe it or not, your channel is best in tech community, i love watching these videos🙏🏻🙏🏻
The most practical way of learning you can ever find (also made me laugh 2/3 times lol). I wish a lot of articles, blogs, even documentations where written the way you explain things. :)
Cheers.
Thank you for this informative video!
I have a question: On webservers and proxy servers there is the option to turn on SNI or off.
Is there any reason SNI should be set to false in stead of true when hosting multiple sites? It seems that when you host multiple sites the option should always be true?
I got addicted to your channel!
good explanation, thanks
Thanks so much for this video tutorial.
Nice video, love your style 👍🏼
thank you Mohamed!
I have 2 questions.
1. The one which does SNI resolving can be any web server/proxy like Apache/Nginx/HAProxy ? If so any extra configuration is needed right?
2. During TLS, we use SNI to create a proper symmetric key between browser and server(a.com). Now browser encrypts the content (headers and body) and send it. For the normal subsequent GET request how come the proxy/web server will be able to decrypt the content and see the header to route it to a.com?
For 1,
Yes, you can have it be a proxy resolving to multiple other servers
For 2,
I think it depends on level of proxy. Layer 7 might have those values to decrypt but layer 4 might not
Adding to Udani’s answer and assuming you have a TLS terminating proxy (layer 7) you have to share all SNI certificates of all the upstream/backend serves with the proxy. If so than the proxy decrypts the traffic and encrypts it back on the backend
If you don’t want to do that than you use a layer 4 proxy which just forwards client hello to the backend and proxy becomes transparent
@@hnasr can we have a layer 4 LB in this SNI case? Because proxy has to see the Host header to route the traffic in the first place. I thought we can't have a layer 4 LB for SNI at all.
@@palaniappanrm6277 you don't need sni in layer 4. The layer 4 will forward packet based on seq number, source port, etc to the right server
Great video Hussein. Thanks!
Thank you so much for these great videos! Even after many years in the industry, I learn new stuff all the time with your channel.
Amir Shitrit thank you Amir! 😊 what do you focus on at your work?
You are entertaining. Try vlog different no tech topics.
Thanks for this video. Very nice.
Cool explanation bro. Thank you for this video.
Amazing explanation, Thanks a lot for this video!
Hi, I have a question,
As to what you explained that if I go to an IP address directly I will not be able to get the page as the SNI will be the same as the IP address and the host won't know what to do with it, what will be if I use a header editor like modheader and add an sni of the domain name for that site, would that work?
Virtual Board is the best Hussein
Man you are awesome
Null Hunt you are more awesome! Thanks for all the love and comments ❤️
@@hnasr ❤️
hi sir can you help me how to find Bug SNI Host to free net
0010 Lauriane Junction
Alison Pass
MacGyver Meadows
I think I am in love with you ...
Hy