[apisix] branch master updated: feat: allow to pass SNI in HTTPS proxy (#3420)

[membphis]

This is an automated email from the ASF dual-hosted git repository.

membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new da62190  feat: allow to pass SNI in HTTPS proxy (#3420)
da62190 is described below

commit da62190d952811477cf9d0e7e1c9b455794263f3
Author: 罗泽轩 <spacewander...@gmail.com>
AuthorDate: Tue Jan 26 23:36:12 2021 +0800

    feat: allow to pass SNI in HTTPS proxy (#3420)
    
    Fix #2988
---
 apisix/cli/ngx_tpl.lua   |  5 ++++
 conf/config-default.yaml |  4 +++
 t/APISIX.pm              |  8 ++++++
 t/node/proxy_https.t     | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 90 insertions(+)

diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index 18f6632..e0c44e8 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -483,6 +483,11 @@ http {
             proxy_set_header   X-Real-IP         $remote_addr;
             proxy_pass_header  Date;
 
+            {% if http.proxy_ssl_server_name then %}
+            proxy_ssl_name $host;
+            proxy_ssl_server_name on;
+            {% end %}
+
             ### the following x-forwarded-* headers is to send to upstream 
server
 
             set $var_x_forwarded_for        $remote_addr;
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index ed8ec4c..9fa47b6 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -180,6 +180,10 @@ nginx_config:                     # config for render the 
template to generate n
     # lua_shared_dicts:            # add custom shared cache to nginx.conf
     #  ipc_shared_dict: 100m       # custom shared cache, format: `cache-key: 
cache-size`
 
+    # Enables or disables passing of the server name through TLS Server Name 
Indication extension (SNI, RFC 6066)
+    # when establishing a connection with the proxied HTTPS server.
+    proxy_ssl_server_name: true
+
 etcd:
   host:                           # it's possible to define multiple etcd 
hosts addresses of the same etcd cluster.
     - "http://127.0.0.1:2379";     # multiple etcd address, if your etcd 
cluster enables TLS, please use https scheme,
diff --git a/t/APISIX.pm b/t/APISIX.pm
index 9dcea3a..63b54f7 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -372,6 +372,9 @@ _EOC_
     lua_shared_dict plugin-api-breaker   10m;
     lua_capture_error_log                 1m;    # plugin error-log-logger
 
+    proxy_ssl_name \$host;
+    proxy_ssl_server_name on;
+
     resolver $dns_addrs_str;
     resolver_timeout 5;
 
@@ -448,6 +451,11 @@ _EOC_
 
         server_tokens off;
 
+        ssl_certificate_by_lua_block {
+            local ngx_ssl = require "ngx.ssl"
+            ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name())
+        }
+
         location / {
             content_by_lua_block {
                 require("lib.server").go()
diff --git a/t/node/proxy_https.t b/t/node/proxy_https.t
new file mode 100644
index 0000000..0c3daf0
--- /dev/null
+++ b/t/node/proxy_https.t
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: add route
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "methods": ["GET"],
+                    "plugins": {
+                        "proxy-rewrite": {
+                            "scheme": "https"
+                        }
+                    },
+                    "upstream": {
+                        "type": "roundrobin",
+                        "nodes": {
+                            "127.0.0.1:1983": 1
+                        }
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 2: get upstream carrying host
+--- request
+GET /hello
+--- more_headers
+host: www.sni.com
+--- error_log
+Receive SNI: www.sni.com