Closed almereyda closed 9 months ago
Would the servername=
property in a listen_transport
directive accept lists of SNI hostnames and RegExp or globbing wildcards?
So this
https://github.com/zhboner/realm/blob/882c2e3c00e73aba97cddc02295a92a1daaaa1e8/examples/tls.toml#L9
could also read:
listen_transport = "tls;servername=*.pages.example.com,pages.example.com"
or
listen_transport = "tls;servername=*"
This specific Traefik TCP TLS SNI router configuration here is in use with a GitLab Pages daemon and another Traefik daemon set up with a DNS-01 challenge to generate the wildcard subdomain certificate. The generic wildcard route is served by the GitLab Pages daemon, which will issue its own certificates for domains connected to it.
Following the link in the readme, this appears to be an upstream issue for zephyrchien/kaminari.
Actually the servername=
field of listen_transport
is used as a hint for generating self-signed certificates, not for dispatching backends.
Realm with the balance
module does allow multiple backends being bound to a single frontend. However the way to pick a backend is limited, currently just load-balancer
and hook
. load-balancer
switches between backends automatically based on the strategy. hooks
requires users to write dynamic libraries.
On the other hand, sni
could be sniffed from the first several bytes at the TCP level(sni is one of the TLS extensions).
I'm planning to refactor the whole project, providing a more flexible way to organize frontends/backends.
I'm currently using Traefik with the
HostSNI
TCP router for TLS connections to split them between different hosts, depending on condition.It seems this could also be a useful feature for realm in secure environments.