Add proxy-ssl-server-name to enable passing SNI

2020-05-30 23:35:20 +08:00 · 2020-05-30 23:35:20 +08:00 · c0629e92c2
commit c0629e92c2
parent baa2b2cd33
5 changed files with 52 additions and 18 deletions
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@ -34,6 +34,7 @@ const (
 	defaultProxySSLProtocols   = "TLSv1 TLSv1.1 TLSv1.2"
 	defaultProxySSLVerify      = "off"
 	defaultProxySSLVerifyDepth = 1
+	defaultProxySSLServerName  = "off"
 )

 var (
@ -45,11 +46,12 @@ var (
 // and the configured VerifyDepth
 type Config struct {
 	resolver.AuthSSLCert
-	Ciphers      string `json:"ciphers"`
-	Protocols    string `json:"protocols"`
-	ProxySSLName string `json:"proxySSLName"`
-	Verify       string `json:"verify"`
-	VerifyDepth  int    `json:"verifyDepth"`
+	Ciphers            string `json:"ciphers"`
+	Protocols          string `json:"protocols"`
+	ProxySSLName       string `json:"proxySSLName"`
+	Verify             string `json:"verify"`
+	VerifyDepth        int    `json:"verifyDepth"`
+	ProxySSLServerName string `json:"proxySSLServerName"`
 }

 // Equal tests for equality between two Config types
@ -75,6 +77,9 @@ func (pssl1 *Config) Equal(pssl2 *Config) bool {
 	if pssl1.VerifyDepth != pssl2.VerifyDepth {
 		return false
 	}
+	if pssl1.ProxySSLServerName != pssl2.ProxySSLServerName {
+		return false
+	}
 	return true
 }

@ -159,5 +164,10 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.VerifyDepth = defaultProxySSLVerifyDepth
 	}

+	config.ProxySSLServerName, err = parser.GetStringAnnotation("proxy-ssl-server-name", ing)
+	if err != nil || !proxySSLOnOffRegex.MatchString(config.ProxySSLServerName) {
+		config.ProxySSLServerName = defaultProxySSLServerName
+	}
+
 	return config, nil
 }
--- a/internal/ingress/annotations/proxyssl/main_test.go
+++ b/internal/ingress/annotations/proxyssl/main_test.go
@ -90,7 +90,7 @@ func TestAnnotations(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = "HIGH:-SHA"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "$host"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 SSLv2 TLSv1   TLSv1.2"
-	data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "off"
+	data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "on"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "off"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "3"
@ -131,6 +131,9 @@ func TestAnnotations(t *testing.T) {
 	if u.ProxySSLName != "$host" {
 		t.Errorf("expected %v but got %v", "$host", u.ProxySSLName)
 	}
+	if u.ProxySSLServerName != "on" {
+		t.Errorf("expected %v but got %v", "on", u.ProxySSLServerName)
+	}

 }

@ -188,6 +191,9 @@ func TestInvalidAnnotations(t *testing.T) {
 	if u.VerifyDepth != defaultProxySSLVerifyDepth {
 		t.Errorf("expected %v but got %v", defaultProxySSLVerifyDepth, u.VerifyDepth)
 	}
+	if u.ProxySSLServerName != defaultProxySSLServerName {
+		t.Errorf("expected %v but got %v", defaultProxySSLServerName, u.ProxySSLServerName)
+	}
 }

 func TestEquals(t *testing.T) {
@ -261,6 +267,15 @@ func TestEquals(t *testing.T) {
 	}
 	cfg2.VerifyDepth = 1

+	// Different ProxySSLServerName
+	cfg1.ProxySSLServerName = "off"
+	cfg2.ProxySSLServerName = "on"
+	result = cfg1.Equal(cfg2)
+	if result != false {
+		t.Errorf("Expected false")
+	}
+	cfg2.ProxySSLServerName = "off"
+
 	// Equal Configs
 	result = cfg1.Equal(cfg2)
 	if result != true {