Skip to content

fix(proxy): use SNI for MITM certs, unify DB path across CLI and server#1

Merged
nnemirovsky merged 1 commit intomainfrom
fix/db-path-and-sni-cert
Apr 7, 2026
Merged

fix(proxy): use SNI for MITM certs, unify DB path across CLI and server#1
nnemirovsky merged 1 commit intomainfrom
fix/db-path-and-sni-cert

Conversation

@nnemirovsky
Copy link
Copy Markdown
Owner

@nnemirovsky nnemirovsky commented Apr 7, 2026

Summary

  • MITM certificates now use TLS SNI hostname instead of CONNECT target IP. Fixes ERR_TLS_CERT_ALTNAME_INVALID when Node.js clients (OpenClaw) connect through tun2proxy.
  • Unified DB path (data/sluice.db) across Dockerfile CMD and CLI defaults. Added sluice-data volume to compose files for persistence.

@nnemirovsky
fix(proxy): use SNI for MITM certs, unify DB path across CLI and server
3bde969 
Two fixes:

1. MITM certificates now use the hostname from TLS SNI instead of
   the CONNECT target IP. tun2proxy sends IP-only CONNECT requests,
   causing goproxy to generate certs with IP SANs that fail Node.js
   hostname validation (ERR_TLS_CERT_ALTNAME_INVALID). The new
   sniAwareTLSConfig uses GetConfigForClient to read the SNI from
   the ClientHello and regenerate the cert with the correct hostname.

2. Dockerfile CMD used -db /home/sluice/.sluice/sluice.db but CLI
   defaulted to sluice.db (CWD). Proxy and CLI were reading different
   databases. Both now use data/sluice.db with a dedicated sluice-data
   volume for persistence across container restarts.
@nnemirovsky nnemirovsky merged commit ad800e3 into main Apr 7, 2026
6 checks passed
@nnemirovsky nnemirovsky deleted the fix/db-path-and-sni-cert branch April 7, 2026 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nnemirovsky