Add proxy-ssl-server-name to enable passing SNI

2020-05-30 23:35:20 +08:00 · 2020-05-30 23:35:20 +08:00 · c0629e92c2
commit c0629e92c2
parent baa2b2cd33
5 changed files with 52 additions and 18 deletions
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@ -34,6 +34,7 @@ const (
 	defaultProxySSLProtocols   = "TLSv1 TLSv1.1 TLSv1.2"
 	defaultProxySSLVerify      = "off"
 	defaultProxySSLVerifyDepth = 1
+	defaultProxySSLServerName  = "off"
 )

 var (
@ -45,11 +46,12 @@ var (
 // and the configured VerifyDepth
 type Config struct {
 	resolver.AuthSSLCert
-	Ciphers      string `json:"ciphers"`
-	Protocols    string `json:"protocols"`
-	ProxySSLName string `json:"proxySSLName"`
-	Verify       string `json:"verify"`
-	VerifyDepth  int    `json:"verifyDepth"`
+	Ciphers            string `json:"ciphers"`
+	Protocols          string `json:"protocols"`
+	ProxySSLName       string `json:"proxySSLName"`
+	Verify             string `json:"verify"`
+	VerifyDepth        int    `json:"verifyDepth"`
+	ProxySSLServerName string `json:"proxySSLServerName"`
 }

 // Equal tests for equality between two Config types
@ -75,6 +77,9 @@ func (pssl1 *Config) Equal(pssl2 *Config) bool {
 	if pssl1.VerifyDepth != pssl2.VerifyDepth {
 		return false
 	}
+	if pssl1.ProxySSLServerName != pssl2.ProxySSLServerName {
+		return false
+	}
 	return true
 }

@ -159,5 +164,10 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.VerifyDepth = defaultProxySSLVerifyDepth
 	}

+	config.ProxySSLServerName, err = parser.GetStringAnnotation("proxy-ssl-server-name", ing)
+	if err != nil || !proxySSLOnOffRegex.MatchString(config.ProxySSLServerName) {
+		config.ProxySSLServerName = defaultProxySSLServerName
+	}
+
 	return config, nil
 }