summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/connpolicy.go13
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index bce69bc..46a8eda 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -159,6 +159,18 @@ type ConnectionPolicy struct {
// is no policy configured for the empty SNI value.
DefaultSNI string `json:"default_sni,omitempty"`
+ // FallbackSNI becomes the ServerName in a ClientHello if
+ // the original ServerName doesn't match any certificates
+ // in the cache. The use cases for this are very niche;
+ // typically if a client is a CDN and passes through the
+ // ServerName of the downstream handshake but can accept
+ // a certificate with the origin's hostname instead, then
+ // you would set this to your origin's hostname. Note that
+ // Caddy must be managing a certificate for this name.
+ //
+ // This feature is EXPERIMENTAL and subject to change or removal.
+ FallbackSNI string `json:"fallback_sni,omitempty"`
+
// Also known as "SSLKEYLOGFILE", TLS secrets will be written to
// this file in NSS key log format which can then be parsed by
// Wireshark and other tools. This is INSECURE as it allows other
@@ -216,6 +228,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
cfg.CertSelection = p.CertSelection
}
cfg.DefaultServerName = p.DefaultSNI
+ cfg.FallbackServerName = p.FallbackSNI
return cfg.GetCertificate(hello)
},
MinVersion: tls.VersionTLS12,