config: add support for downstream TLS server name (#3243)

* config: add support for downstream TLS server name * fix whitespace * fix whitespace * add docs * add tls_upstream_server_name and tls_downstream_server_name to config * Update docs/reference/settings.yaml Co-authored-by: Alex Fornuto <afornuto@pomerium.com> * Update docs/reference/readme.md Co-authored-by: Alex Fornuto <afornuto@pomerium.com> * add deprecation notice Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
2025-08-02 00:10:45 +02:00 · 2022-04-06 07:48:45 -06:00 · 2022-04-06 07:48:45 -06:00 · b79f1e379f
commit b79f1e379f
parent e1403e33b4
12 changed files with 837 additions and 614 deletions
--- a/config/envoyconfig/clusters_test.go
+++ b/config/envoyconfig/clusters_test.go
@ -111,21 +111,75 @@ func Test_buildPolicyTransportSocket(t *testing.T) {
 						"alpnProtocols": ["h2", "http/1.1"],
 						"tlsParams": {
 							"cipherSuites": [
-            	            	"ECDHE-ECDSA-AES256-GCM-SHA384",
-            	            	"ECDHE-RSA-AES256-GCM-SHA384",
-            	            	"ECDHE-ECDSA-AES128-GCM-SHA256",
-            	            	"ECDHE-RSA-AES128-GCM-SHA256",
-            	            	"ECDHE-ECDSA-CHACHA20-POLY1305",
-            	            	"ECDHE-RSA-CHACHA20-POLY1305",
-            	            	"ECDHE-ECDSA-AES128-SHA",
-            	            	"ECDHE-RSA-AES128-SHA",
-            	            	"AES128-GCM-SHA256",
-            	            	"AES128-SHA",
-            	            	"ECDHE-ECDSA-AES256-SHA",
-            	            	"ECDHE-RSA-AES256-SHA",
-            	            	"AES256-GCM-SHA384",
-            	            	"AES256-SHA"
-            	            ],
+								"ECDHE-ECDSA-AES256-GCM-SHA384",
+								"ECDHE-RSA-AES256-GCM-SHA384",
+								"ECDHE-ECDSA-AES128-GCM-SHA256",
+								"ECDHE-RSA-AES128-GCM-SHA256",
+								"ECDHE-ECDSA-CHACHA20-POLY1305",
+								"ECDHE-RSA-CHACHA20-POLY1305",
+								"ECDHE-ECDSA-AES128-SHA",
+								"ECDHE-RSA-AES128-SHA",
+								"AES128-GCM-SHA256",
+								"AES128-SHA",
+								"ECDHE-ECDSA-AES256-SHA",
+								"ECDHE-RSA-AES256-SHA",
+								"AES256-GCM-SHA384",
+								"AES256-SHA"
+							],
+							"ecdhCurves": [
+								"X25519",
+								"P-256",
+								"P-384",
+								"P-521"
+							]
+						},
+						"validationContext": {
+							"matchTypedSubjectAltNames": [{
+								"sanType": "DNS",
+								"matcher": {
+									"exact": "use-this-name.example.com"
+								}
+							}],
+							"trustedCa": {
+								"filename": "`+rootCA+`"
+							}
+						}
+					},
+					"sni": "use-this-name.example.com"
+				}
+			}
+		`, ts)
+	})
+	t.Run("tls_upstream_server_name as sni", func(t *testing.T) {
+		ts, err := b.buildPolicyTransportSocket(ctx, o1, &config.Policy{
+			To:                    mustParseWeightedURLs(t, "https://example.com"),
+			TLSUpstreamServerName: "use-this-name.example.com",
+		}, *mustParseURL(t, "https://example.com"))
+		require.NoError(t, err)
+		testutil.AssertProtoJSONEqual(t, `
+			{
+				"name": "tls",
+				"typedConfig": {
+					"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+					"commonTlsContext": {
+						"alpnProtocols": ["h2", "http/1.1"],
+						"tlsParams": {
+							"cipherSuites": [
+								"ECDHE-ECDSA-AES256-GCM-SHA384",
+								"ECDHE-RSA-AES256-GCM-SHA384",
+								"ECDHE-ECDSA-AES128-GCM-SHA256",
+								"ECDHE-RSA-AES128-GCM-SHA256",
+								"ECDHE-ECDSA-CHACHA20-POLY1305",
+								"ECDHE-RSA-CHACHA20-POLY1305",
+								"ECDHE-ECDSA-AES128-SHA",
+								"ECDHE-RSA-AES128-SHA",
+								"AES128-GCM-SHA256",
+								"AES128-SHA",
+								"ECDHE-ECDSA-AES256-SHA",
+								"ECDHE-RSA-AES256-SHA",
+								"AES256-GCM-SHA384",
+								"AES256-SHA"
+							],
 							"ecdhCurves": [
 								"X25519",
 								"P-256",