search

vaccovecrana / awe4lb

Layer 4 load balancer
Other
0 stars 0 forks source link

Add SNI based TLS context selection #11

Open jjzazuet opened 2 weeks ago

jjzazuet commented 2 weeks ago

Currently, only one SSLContext will be selected for any open TLS port on the load balancer, i. e.:

*:443 --> *.momo.io (cert+key) --> example.momo.io

If we instead delay the selection of an SSLContext to the moment when we have the SNI name indication, we could move the certificate chain and key configuration down to the match elements in the configuration, and initialize a context based on the matching SNI, we could support things like:

*:443 |--> *.charlie.io (cert+key) --> example.charlie.io
      |--> glep.io (cert+key)
      |--> pim.io (cert+key)

A modified configuration file would look like this (each sni specifies its own cert and key):

id: test-config-00
description: Test configuration
servers:
  - id: https-txt
    addr:
      host: 0.0.0.0
      port: 443
    match:
      - and: [sni: {endsWith: charlie.io}]
        discover: {http: {endpoint: 'http://127.0.0.1:4011', format: text}}
        tls:
          certPath: ./src/test/resources/certs/charlie-io.pem
          keyPath: ./src/test/resources/certs/charlie-io.key
      - and: [sni: {equals: glep.io}]
        pool: {type: weight}
        discover:
          exec:
            command: cat
            args: [./src/test/resources/discover/sdr-hosts.txt]
            format: text
        tls:
          certPath: ./src/test/resources/certs/glep-io.pem
          keyPath: ./src/test/resources/certs/glep-io.key
    tls: {ciphers: [TLS_AES_128_GCM_SHA256]}

We'll need a minor version bump (existing configs will break), updated schemas and test cases.

Also, A4Sock will need an optional sni attribute for exact matching incoming SNI indications from front end matchers.