diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua index 18f663277980..e0c44e8997df 100644 --- a/apisix/cli/ngx_tpl.lua +++ b/apisix/cli/ngx_tpl.lua @@ -483,6 +483,11 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_pass_header Date; + {% if http.proxy_ssl_server_name then %} + proxy_ssl_name $host; + proxy_ssl_server_name on; + {% end %} + ### the following x-forwarded-* headers is to send to upstream server set $var_x_forwarded_for $remote_addr; diff --git a/conf/config-default.yaml b/conf/config-default.yaml index ed8ec4c07402..9fa47b62e378 100644 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -180,6 +180,10 @@ nginx_config: # config for render the template to generate n # lua_shared_dicts: # add custom shared cache to nginx.conf # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` + # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) + # when establishing a connection with the proxied HTTPS server. + proxy_ssl_server_name: true + etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme, diff --git a/t/APISIX.pm b/t/APISIX.pm index 9dcea3aaf04f..63b54f7a45e9 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -372,6 +372,9 @@ _EOC_ lua_shared_dict plugin-api-breaker 10m; lua_capture_error_log 1m; # plugin error-log-logger + proxy_ssl_name \$host; + proxy_ssl_server_name on; + resolver $dns_addrs_str; resolver_timeout 5; @@ -448,6 +451,11 @@ _EOC_ server_tokens off; + ssl_certificate_by_lua_block { + local ngx_ssl = require "ngx.ssl" + ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name()) + } + location / { content_by_lua_block { require("lib.server").go() diff --git a/t/node/proxy_https.t b/t/node/proxy_https.t new file mode 100644 index 000000000000..0c3daf0e3815 --- /dev/null +++ b/t/node/proxy_https.t @@ -0,0 +1,73 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: add route +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "methods": ["GET"], + "plugins": { + "proxy-rewrite": { + "scheme": "https" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1983": 1 + } + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: get upstream carrying host +--- request +GET /hello +--- more_headers +host: www.sni.com +--- error_log +Receive SNI: www.sni.com