diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2023-05-10 14:29:29 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-10 14:29:29 -0600 |
commit | faf0399e80391ba5229321e2ee7d05262e4cc531 (patch) | |
tree | 49cea70c7566bfa77314f88df3eed6e21d1f0b15 /modules | |
parent | 808b05c3b47dc82d7e13fccee00a67c45a072a23 (diff) |
caddytls: Configurable fallback SNI (#5527)
* Initial implementation of fallback_sni
* Apply upstream patch
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddytls/connpolicy.go | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index bce69bc..46a8eda 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -159,6 +159,18 @@ type ConnectionPolicy struct { // is no policy configured for the empty SNI value. DefaultSNI string `json:"default_sni,omitempty"` + // FallbackSNI becomes the ServerName in a ClientHello if + // the original ServerName doesn't match any certificates + // in the cache. The use cases for this are very niche; + // typically if a client is a CDN and passes through the + // ServerName of the downstream handshake but can accept + // a certificate with the origin's hostname instead, then + // you would set this to your origin's hostname. Note that + // Caddy must be managing a certificate for this name. + // + // This feature is EXPERIMENTAL and subject to change or removal. + FallbackSNI string `json:"fallback_sni,omitempty"` + // Also known as "SSLKEYLOGFILE", TLS secrets will be written to // this file in NSS key log format which can then be parsed by // Wireshark and other tools. This is INSECURE as it allows other @@ -216,6 +228,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error { cfg.CertSelection = p.CertSelection } cfg.DefaultServerName = p.DefaultSNI + cfg.FallbackServerName = p.FallbackSNI return cfg.GetCertificate(hello) }, MinVersion: tls.VersionTLS12, |