Thanks for the video. Very informative and fun 😉. I had a question regarding ESNI, when the public is key is used to encrypt the TLS handshake. Which private key will the server use for decryption? Like in your example will it be Ali, Jenny, Mark or a default one?
Hi. Few doubts as always. 1. After you did set up everything and made sure all 3 websites working fine with 1 public ip using SNI, now what will happen if I just specify the public ip address in the browser rather than a domain name? Which content it'll return back? 2. ESNI needs public key to be present in the DNS entry. The public key you mention here is the public key of HAProxy server right? If so, what configuration changes required in .cfg file for the same?
Palaniappan RM i can see your knowledge is growing with every question you ask! Which is awesome For 1) if you only specify ip address the host SNI will be blank and the SNI handshake will fail on the server.. it is up to the server to serve a default certificate when no host is provided..
Answer for q2) the public key on the DNS has a matching private key on HAProxy.. So the client will do DNS get public key encrypted the SNI do tls hello .. and server will decrypt the SNI and look at the host..
I never knew about an ip address being able to serve multiple domain names. I just double checked by typing in an existing ip address (instead of its domain name) and got 404. I felt cheated at the end of my 4 year CS education.
33:14 I'm confused here. if you make a query to the DNS for a particular domain, then it is already visible. anyone can see you making that request. Edit: 😂spoke too soon I see you address it after.
Excellent question, during client hello in TLS the client sends the host name it tries to connect. HAProxy takes that host name and match it against each of the three certificate because the certificate has the hostname. And sends the appropriate one that matches. This is called SNI (Server Name Indication)
@@hnasr Ok.. Let say I have my.website.com hosted and running fine with a certificate generated...and in haproxy I set the host name let's say to www.google.com ...and make sure the client hello will have www.google.com in the host header.. Will the tls connection be established???? Hope u understand what I mean..
The TLS will fail on client because the certificate verification will fail since my.website is not google.com .. The TLS can be successful if client decided to ignore certificate verification example in curl -insecure or in browsers clicking “I understand the risk”
thanks for the reply, can you make a detailed tutorial on how to correctly configure httpinjector ehi files on android phones to bypass isp for free net?
Thanks for the video. Very informative and fun 😉.
I had a question regarding ESNI, when the public is key is used to encrypt the TLS handshake. Which private key will the server use for decryption? Like in your example will it be Ali, Jenny, Mark or a default one?
Dude you're a legend 😂 hilarious and fun.. keep up the good work.. learnt a lot. Subscribed..
Thanks Faraz 😊 glad you enjoyed the content and welcome to the community 🙏
Hi. Few doubts as always.
1. After you did set up everything and made sure all 3 websites working fine with 1 public ip using SNI, now what will happen if I just specify the public ip address in the browser rather than a domain name? Which content it'll return back?
2. ESNI needs public key to be present in the DNS entry. The public key you mention here is the public key of HAProxy server right? If so, what configuration changes required in .cfg file for the same?
Palaniappan RM i can see your knowledge is growing with every question you ask! Which is awesome
For 1) if you only specify ip address the host SNI will be blank and the SNI handshake will fail on the server.. it is up to the server to serve a default certificate when no host is provided..
Answer for q2) the public key on the DNS has a matching private key on HAProxy..
So the client will do DNS get public key encrypted the SNI do tls hello .. and server will decrypt the SNI and look at the host..
@@hnasr we don't have to do any other configuration in HAProxy config file for this private key decryption during TLS hello to work?
I never knew about an ip address being able to serve multiple domain names. I just double checked by typing in an existing ip address (instead of its domain name) and got 404. I felt cheated at the end of my 4 year CS education.
Yup! connecting through IP is not enough for the server as it doesn’t know which domain / website you want.. some Websites might put defaults though
This explanation is so nice. Thanks!
Appreciate it! Thanks
Dude, this is awesome 👍 like the way you make it fun and interesting and to the point. Great work my friend.
33:14 I'm confused here. if you make a query to the DNS for a particular domain, then it is already visible. anyone can see you making that request.
Edit: 😂spoke too soon I see you address it after.
seriously man, your videos are damn good. Full of technicalities with fun, btw liked your Arabic accent 🤣
Funny Voice of Dad :) :)
Thanks for your effort to make this awosome video!
Chengdong Liao thanks for your comment dear 😊
Wow, great technical video on mutlisite hosting on 1 IP address, even though you confused the hell out of me :-o) LOL
Thanks!
There are so many cool content on the channel. Unbelievable! My first donate in my life starts with it.
Hi, how HAProxy knows which cert should to send to the client for "ali", "mark" or "jenny" backend? Does it try to match backend name & cert name?
Excellent question, during client hello in TLS the client sends the host name it tries to connect. HAProxy takes that host name and match it against each of the three certificate because the certificate has the hostname. And sends the appropriate one that matches. This is called SNI (Server Name Indication)
@@hnasr Okk. I got it..
So this isn't possible without a proxy? You couldn't use SNI, let's say, on a Node server alone?
Of course if that web server supports SNI, caddy and nginx comes to mind
For ESNI, how is the public key of the target domain encrypted when it is sent to the server?
The public key is encrypted as part of the DoH connection between the client and the DNS resolver.
Hey ..nice stuff..
I wanna ask..
Can u instruct haproxy to accept any random sni
Hmm you can with scripts assuming you have the certificates for each domain requested
@@hnasr
Ok..
Let say I have my.website.com hosted and running fine with a certificate generated...and in haproxy I set the host name let's say to www.google.com ...and make sure the client hello will have www.google.com in the host header..
Will the tls connection be established????
Hope u understand what I mean..
The TLS will fail on client because the certificate verification will fail since my.website is not google.com ..
The TLS can be successful if client decided to ignore certificate verification example in curl -insecure or in browsers clicking “I understand the risk”
@@hnasr
Wooow..
Thanks .
You just made it clear to me..
what is the difference between just using NodeJS vs using haproxy (I don't know what haproxy is)?
think of ha proxy as a load balancer that receive request and forward them to backend servers
at 1.5x speed, this presentation is pretty HekTik
can i create smart DNS proxy with this method ?
from where hussin
انت منيين يا حسيين
Hi you forgot to reference the videos in this....
Natesh M Bhat thanks for letting me know! Do you know where timestamp? It would make it easier for me 😊
how can i configure this on an android phone?
this is a pure backend concept, nothing to do in the client except providing the SNI parameter which most SSL libraries do
thanks for the reply, can you make a detailed tutorial on how to correctly configure httpinjector ehi files on android phones to bypass isp for free net?
how i can make a sni account or sign up on sni
safder karim There is no account for SNI, You can just create multiple domains and use the proxy to configure it as I explained in the video
How can i capture android app sni
hey this is a video explaining whats sni is and it is not a video about finding sni -_-
يخربييتك مفهمتش حاجة هههههههههه
27:00