search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
25.07k stars 4.82k forks source link

How to detect if server_name is populated for TLS transport protocol #37256

Closed deveshkandpal1224 closed 1 day ago

deveshkandpal1224 commented 2 days ago

Title: How to detect if server_name is populated for TLS transport protocol

Description:

when defining filter chain matches for listener, is there a way to know specifically that for transport_protocol: tls , server_name is empty or not ?

What i'm trying to do is, if server_name is populated, I want to use REQUESTED_SERVER_NAME for tunnelingConfig else use DOWNSTREAM_LOCAL_ADDRESS .

Unfortunately there are clients that are not setting SNI which is making it difficult to detect this and i'm wondering if anyone has ideas on how to ensure below example gets tunneled using IP instead of SNI ( since SNI will be empty and it is a TLS connection still ).

openssl s_client -connect example.com:8443 -noservername

I tried checking against - to match against server_name but that doesn't seem to work. Though the access log in tcp_proxy filter is reporting it as -.

soulxu commented 2 days ago

cc @wbpcode

deveshkandpal1224 commented 1 day ago

filter chain matcher API with server_name regex match on ^.+$ to catch if SNI is populated solves the issue. Closing this issue.