config: add support for downstream TLS server name (#3243)

* config: add support for downstream TLS server name * fix whitespace * fix whitespace * add docs * add tls_upstream_server_name and tls_downstream_server_name to config * Update docs/reference/settings.yaml Co-authored-by: Alex Fornuto <afornuto@pomerium.com> * Update docs/reference/readme.md Co-authored-by: Alex Fornuto <afornuto@pomerium.com> * add deprecation notice Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
2025-08-03 08:50:42 +02:00 · 2022-04-06 07:48:45 -06:00 · 2022-04-06 07:48:45 -06:00 · b79f1e379f
commit b79f1e379f
parent e1403e33b4
12 changed files with 837 additions and 614 deletions
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@ -267,6 +267,9 @@ func (b *Builder) buildPolicyTransportSocket(
 	if policy.TLSServerName != "" {
 		sni = policy.TLSServerName
 	}
+	if policy.TLSUpstreamServerName != "" {
+		sni = policy.TLSUpstreamServerName
+	}
 	tlsContext := &envoy_extensions_transport_sockets_tls_v3.UpstreamTlsContext{
 		CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{
 			TlsParams: &envoy_extensions_transport_sockets_tls_v3.TlsParameters{
@ -320,9 +323,16 @@ func (b *Builder) buildPolicyValidationContext(
 	policy *config.Policy,
 	dst url.URL,
 ) (*envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext, error) {
+	overrideName := ""
+	if policy.TLSServerName != "" {
+		overrideName = policy.TLSServerName
+	}
+	if policy.TLSUpstreamServerName != "" {
+		overrideName = policy.TLSUpstreamServerName
+	}
 	validationContext := &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
 		MatchTypedSubjectAltNames: []*envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher{
-			b.buildSubjectAltNameMatcher(&dst, policy.TLSServerName),
+			b.buildSubjectAltNameMatcher(&dst, overrideName),
 		},
 	}
 	if policy.TLSCustomCAFile != "" {