summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatt Holt <mholt@users.noreply.github.com>2023-05-10 14:29:29 -0600
committerGitHub <noreply@github.com>2023-05-10 14:29:29 -0600
commitfaf0399e80391ba5229321e2ee7d05262e4cc531 (patch)
tree49cea70c7566bfa77314f88df3eed6e21d1f0b15 /modules
parent808b05c3b47dc82d7e13fccee00a67c45a072a23 (diff)
caddytls: Configurable fallback SNI (#5527)
* Initial implementation of fallback_sni * Apply upstream patch
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/connpolicy.go13
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index bce69bc..46a8eda 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -159,6 +159,18 @@ type ConnectionPolicy struct {
// is no policy configured for the empty SNI value.
DefaultSNI string `json:"default_sni,omitempty"`
+ // FallbackSNI becomes the ServerName in a ClientHello if
+ // the original ServerName doesn't match any certificates
+ // in the cache. The use cases for this are very niche;
+ // typically if a client is a CDN and passes through the
+ // ServerName of the downstream handshake but can accept
+ // a certificate with the origin's hostname instead, then
+ // you would set this to your origin's hostname. Note that
+ // Caddy must be managing a certificate for this name.
+ //
+ // This feature is EXPERIMENTAL and subject to change or removal.
+ FallbackSNI string `json:"fallback_sni,omitempty"`
+
// Also known as "SSLKEYLOGFILE", TLS secrets will be written to
// this file in NSS key log format which can then be parsed by
// Wireshark and other tools. This is INSECURE as it allows other
@@ -216,6 +228,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
cfg.CertSelection = p.CertSelection
}
cfg.DefaultServerName = p.DefaultSNI
+ cfg.FallbackServerName = p.FallbackSNI
return cfg.GetCertificate(hello)
},
MinVersion: tls.VersionTLS12,