README
¶
SNI Proxy
A high-performance SNI (Server Name Indication) proxy with DNS server capabilities, written in Go. This proxy supports multiple protocols including DNS over UDP/TCP/TLS/QUIC, HTTP/HTTPS proxying, and includes advanced ACL (Access Control List) features.
Features
-
Multi-Protocol DNS Support
- DNS over UDP (Port 53)
- DNS over TCP (Port 53)
- DNS over TLS - DoT (Port 853)
- DNS over QUIC - DoQ (Port 8853)
- DNS over HTTPS - DoH (Configurable SNI)
-
HTTP/HTTPS Proxy
- HTTPS: SNI-based proxying (Port 443)
- HTTP: Internal Proxy (Port 8080)
- Security: Port 80 is blocked/redirected to prevent misuse.
-
Access Control Lists (ACL)
- GeoIP-based filtering
- Domain-based filtering
- CIDR/IP-based filtering
- FQDN override rules
-
Monitoring
- Grafana: Visual Dashboard (Port 3000)
- Prometheus: Metrics collection (Internal Port 9090)
- Detailed logging
-
Security
- Non-Root User: Runs as unprivileged user
10001inside container. - Local Certificates: No dependency on host
/etc/letsencrypt.
- Non-Root User: Runs as unprivileged user
Quick Start with Docker Compose
-
Prepare Certificates Create a
certs/directory and place yourfullchain.pemandprivkey.pemthere. Ensure permissions are correct for the non-root user:mkdir -p certs # ... generate or copy certs ... chmod 644 certs/privkey.pem -
Deploy
docker compose up -d --build
Port Mappings
| Host Port | Container Port | Protocol | Description |
|---|---|---|---|
| 53 | 53 | UDP | DNS over UDP |
| 53 | 53 | TCP | DNS over TCP |
| 853 | 853 | TCP | DNS over TLS (DoT) |
| 8853 | 8853 | UDP | DNS over QUIC (DoQ) |
| 443 | 443 | TCP | HTTPS Proxy |
| 3000 | 3000 | TCP | Grafana Dashboard (Default: admin/admin) |
| - | 8080 | TCP | Internal HTTP Proxy |
| - | 9090 | TCP | Internal Prometheus Metrics |
Volume Mounts
./config.yaml→/etc/sniproxy/config.yaml./domains.csv→/app/domains.csv./certs→/app/certs
Building from Source
Prerequisites
- Go 1.26 or later
Build
go build -o sniproxy ./cmd/sniproxy
Run
./sniproxy
Configuration
The application uses config.yaml. By default, it looks for config.yaml in the same directory.
Key Configuration Options
general:
upstream_dns: tcp://1.1.1.1:53
bind_dns_over_udp: "0.0.0.0:53"
bind_dns_over_tcp: "0.0.0.0:53"
bind_dns_over_tls: "0.0.0.0:853"
bind_dns_over_quic: "0.0.0.0:8853"
bind_http: "0.0.0.0:8080"
bind_https: "0.0.0.0:443"
bind_prometheus: "0.0.0.0:9090"
# Use local certs
tls_cert: /app/certs/fullchain.pem
tls_key: /app/certs/privkey.pem
log_level: info
acl:
domain:
enabled: true
path: /app/domains.csv
refresh_interval: 1h0m0s
DNS over HTTPS (DoH)
DoH is available via acl.override with doh_sni configured:
acl:
override:
enabled: true
doh_sni: "dns.imzami.com"
Access DoH at: https://dns.imzami.com/dns-query
Security Considerations
- Grafana: Change the default
admin/adminpassword athttp://localhost:3000. - Certificates: Ensure
certs/privkey.pemhas644permissions so the container user can read it. - ACL: Enable
acl.domainto strictly control allowed domains.
License
See LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit pull requests or open issues.
Support
For issues, questions, or contributions, please visit the project repository.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
bench
command
|
|
|
sniproxy
command
sniproxy's main CLI entrpoint.
|
sniproxy's main CLI entrpoint. |
|
Package sniproxy is a simple SNI proxy server that allows you to serve multiple SSL-enabled websites from a single IP address.
|
Package sniproxy is a simple SNI proxy server that allows you to serve multiple SSL-enabled websites from a single IP address. |
|
acl
Package acl contains the logic for Access Control Lists.
|
Package acl contains the logic for Access Control Lists. |
|
doh
Package doh contains the logic for DNS over HTTPS.
|
Package doh contains the logic for DNS over HTTPS. |