How do I configure SNI for listeners?
SNI is only supported in the v2 configuration/API.
Attention
TLS Inspector listener filter must be configured in order to detect requested SNI.
The following is a YAML example of the above requirement.
address:
socket_address: { address: 127.0.0.1, port_value: 1234 }
listener_filters:
- name: "envoy.filters.listener.tls_inspector"
typed_config: {}
filter_chains:
- filter_chain_match:
server_names: ["example.com", "www.example.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "example_com_cert.pem" }
private_key: { filename: "example_com_key.pem" }
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
stat_prefix: ingress_http
route_config:
virtual_hosts:
- name: default
domains: "*"
routes:
- match: { prefix: "/" }
route: { cluster: service_foo }
- filter_chain_match:
server_names: "api.example.com"
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "api_example_com_cert.pem" }
private_key: { filename: "api_example_com_key.pem" }
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
stat_prefix: ingress_http
route_config:
virtual_hosts:
- name: default
domains: "*"
routes:
- match: { prefix: "/" }
route: { cluster: service_foo }
How do I configure SNI for clusters?
For clusters, a fixed SNI can be set in UpstreamTlsContext. To derive SNI from HTTP host or :authority header, turn on auto_sni to override the fixed SNI in UpstreamTlsContext. If upstream will present certificates with the hostname in SAN, turn on auto_san_validation too. It still needs a trust CA in validation context in UpstreamTlsContext for trust anchor.
当前内容版权归 Envoy Proxy 或其关联方所有,如需对内容或内容相关联开源项目进行关注与资助,请访问 Envoy Proxy .