Add SNI filtering #34
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
any updates on this from code owners? |
|
👋 |
jon-signal
requested changes
Aug 9, 2024
There was a problem hiding this comment.
Hello, and thank you for the contribution!
I think this is a laudable goal, but I think the execution needs some adjustment. In particular, it seems like this approach requires end users to modify the init-certificate.sh script, which would in turn then permanently modify the nginx.conf file for nginx-terminate.
I'd suggest two improvements:
- In
init-certificate.sh, can we reuse thedomainsthat the user has already entered when generating the certificate? - Rather than modifying a core config file, could we create a separate, "disposable" config file that
nginx.confwould theninclude? That would mean that subsequent runs ofinit-certificate.shwould overwrite stale domain names as needed.
It's also worth noting that init-certificate.sh supports multiple domain names, and we should make sure we're allowing for multiple domains in the nginx configuration files.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes will allow for filtering off traffic if SNI does not match specified domain. This will allow for improved anonymity of Signal-TLS-Proxy by preventing IP scanners from discovering cert/tls information.