z0.is
SNI-SHUNT(1) General Commands Manual SNI-SHUNT(1)

sni-shuntdispatch TLS request according to ServerName

sni-shunt [-e ENV=/path/%/file.pem] cmd [arg...]

The sni-shunt utility expect an open TCP socket on standard input, and read the begining of the stream without altering it. It then scan the ServerName TLS extension then exports environment variables if found, and always execute into the rest of the arguments cmd arg

The LOG environment variable controls the logging verbosity from 4 (debug) to 1 (fatal errors)

In addition to the environment variables defined by -e, sni-shunt sets the SERVER_sni-shunt variable if an SNI extension was found.

The sni-shunt utility exits 0 on success, and >0 if an error occurs.

$ s6-tcpserver 127.0.0.1 443 sni-shunt s6-tlsd env ROOT=/srv/www httpfile-httpd

calico(1)
https://git.causal.agency/pounce/about/calico.1,
sendmsg(1)
in particular MSG_PEEK
s6-tcpserver(8), s6-tlsd(8)
https://skarnet.org/software/s6-networking/

https://cr.yp.to/proto/ucspi.txt

sni-shunt is heavyly inspired by calico(1)

Josuah Demangeon <me@josuah.net>

The TLS handling does make use of a complete TLS library, so update in the TLS Client Hello message also require an update in this program.

May 31, 2020 OpenBSD 6.9