[GH-ISSUE #255] [Question] Is it possible to put Cloak behind some l4 proxy? #206

New issue

Open

opened 2026-02-26 12:34:16 +03:00 by kerem · 2 comments

kerem commented

2026-02-26 12:34:16 +03:00

Owner

Originally created by @Unb0rn on GitHub (Mar 9, 2024).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/255

I wonder if it's possible to share the outbound 443 port with other services by using something like L4 proxy with SNI (Let's say HAProxy)? Does Cloak respect proxy-protocol headers? I think neither config files nor issues have any info on it

Originally created by @Unb0rn on GitHub (Mar 9, 2024). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/255 I wonder if it's possible to share the outbound 443 port with other services by using something like L4 proxy with SNI (Let's say HAProxy)? Does Cloak respect `proxy-protocol` headers? I think neither config files nor issues have any info on it

kerem commented

2026-02-26 12:34:16 +03:00

Author

Owner

@archer-v commented on GitHub (Aug 13, 2024):

It works correctly with haproxy if it's configured as tcp-proxy (not https proxy)

Example of haproxy configuration:

frontend https_in
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # Traffic forwarding to the backend depending on the SNI
    use_backend server1 if { req_ssl_sni -i example1.com }
    use_backend server2 if { req_ssl_sni -i example2.com }

    # default backend if SNI doesn't match anyone
    default_backend cloak

backend server1
    mode tcp
    server server1 localhost:445 check

backend server2
    mode tcp
    server server2 localhost:446 check

backend cloak
    mode tcp
    server cloak localhost:444 check

There no needs of any special configuration to the cloak, just bind it on any other port, for example 444

@archer-v commented on GitHub (Aug 13, 2024): It works correctly with haproxy if it's configured as tcp-proxy (not https proxy) Example of haproxy configuration: ``` frontend https_in bind *:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Traffic forwarding to the backend depending on the SNI use_backend server1 if { req_ssl_sni -i example1.com } use_backend server2 if { req_ssl_sni -i example2.com } # default backend if SNI doesn't match anyone default_backend cloak backend server1 mode tcp server server1 localhost:445 check backend server2 mode tcp server server2 localhost:446 check backend cloak mode tcp server cloak localhost:444 check ``` There no needs of any special configuration to the cloak, just bind it on any other port, for example 444

kerem commented

2026-02-26 12:34:16 +03:00

Author

Owner

@nordeep commented on GitHub (Aug 30, 2024):

@archer-v Thank you for sharing configuration! Unfortunately in this configuration, for me, cloak doesn't redirect to RedirAddr. I couldn't find a solution. Seems SNI parsed by HAProxy and it won't send to cloak.

@nordeep commented on GitHub (Aug 30, 2024): @archer-v Thank you for sharing configuration! Unfortunately in this configuration, for me, cloak doesn't redirect to `RedirAddr`. I couldn't find a solution. Seems SNI parsed by HAProxy and it won't send to cloak.

No labels

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Cloak#206

No description provided.

Rows
Columns