Setting up a TCP-SNI proxy that dynamically forwards SSL traffic to any hostname that the SNI might contain

I’m firstly gonna summerize my goal:

I’ll setup a DNS server and configure my smart tv to use it. I’ll set the DNS server up so that requests to specific DNS zones will not actually be resolved, rather the DNS server will return the IP of my proxy server. The proxy server needs to accept any HTTPS request, inspect the SNI, and forward the request to the corresponding host. I cannot statically configure the hosts to which the proxy shall pass the incoming requests, as those hostnames are being “randomly” (= outside of my control) generated in a specific DNS zone.

So far I’ve looked into nginx’s ngx_stream_ssl_preread_module, as well as into HProxy. So far, I have not found a way to make them proxy pass the traffic to $requesthostname, it seems like you always need to specify backends to which you pass the traffic.

While inspecting HTTPS traffic on my local machine using mitmproxy, I realized that it behaves as I desire, in that it forwards all HTTPS requests to the corresponding hostnames. However, as I cannot install mitmproxy’s CA certificate on my smart tv, I cannot use it for this purpose.

Does anybody know a proxy software that serves my purpose, or a way to configure one of the proxyservers I mentioned in such a way that it behaves in such a manner?

Help is greatly appreciated, thanks in advance

Go to Source
Author: Max Luchterhand