feat: add proxy_ssl_server_name

[whitehatboxer]

What this PR does / why we need it:

fix: #2988

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[tokers]

This should be enabled by default.

[whitehatboxer]

I will fix it later.

[whitehatboxer]

Done.

[tokers]

The comment is not right. Just reference the Nginx doc:

Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.

[whitehatboxer]

I will fix it later.

[whitehatboxer]

Already replace it.

[tokers]

@unbeatablekb Should have test cases for it, you can prepare a keypair that the SNI is not matched with the backend server and assert the proxy is aborted.

[whitehatboxer]

@tokers Thanks for giving help. I will add test for it after learning nginx test which would be done within this weeks.

[spacewander]

@unbeatablekb
You need to add proxy_ssl_server_name in t/APISIX.pm.
You can take a look at

apisix/t/plugin/proxy-rewrite.t

Lines 258 to 308 in b78c87a

	=== TEST 8: set route(rewrite host + scheme)
	--- config
	location /t {
	content_by_lua_block {
	local t = require("lib.test_admin").test
	local code, body = t('/apisix/admin/routes/1',
	ngx.HTTP_PUT,
	[[{
	"methods": ["GET"],
	"plugins": {
	"proxy-rewrite": {
	"uri": "/plugin_proxy_rewrite",
	"scheme": "https",
	"host": "test.com"
	}
	},
	"upstream": {
	"nodes": {
	"127.0.0.1:1983": 1
	},
	"type": "roundrobin"
	},
	"uri": "/hello"
	}]]
	)
	if code >= 300 then
	ngx.status = code
	end
	ngx.say(body)
	}
	}
	--- request
	GET /t
	--- response_body
	passed
	--- no_error_log
	[error]
	=== TEST 9: rewrite host + scheme
	--- request
	GET /hello HTTP/1.1
	--- response_body
	uri: /plugin_proxy_rewrite
	host: test.com
	scheme: https
	--- no_error_log
	[error]

and write your own one.

[whitehatboxer]

@spacewander Thanks for your advice. I will do it.

[whitehatboxer]

@tokers @spacewander
The deadline took effect. I try to learn the test architecture about apisix at last weekends.

Finally I add test cases in t/core. I'm willing to hear your advice and I will modify it in the day.

[membphis]

@tokers @spacewander
The deadline took effect. I try to learn the test architecture about apisix at last weekends.

Finally I add test cases in t/core. I'm willing to hear your advice and I will modify it in the day.

if you need any help, please let us know

[tokers]

@unbeatablekb CI failed.

[spacewander]

We don't need this. We already have a HTTPS backend:

apisix/t/APISIX.pm

Line 444 in 3db8ebe

listen 1983 ssl;

You just need to pass a wrong host header.

[whitehatboxer]

Thanks. I used to create a new server block because I want to add server_name to new block. Now I think this make no sense after thinking about it.

But you said I could write a new one in APISIX.pm. What does that means?

[whitehatboxer]

@tokers @spacewander
I need your help. I run my test locally but failed.

The TEST2's output all failed. But I don't know what's wrong wit it.

I already pushed the code and details of the output of running test are show blow.

[tokers]

I don't know how you assert the 502 is due to SSL handshaking failure.

[whitehatboxer]

Got it.

[spacewander]

Only enable proxy_ssl_server_name doesn't pass the correct SNI to the backend.
See #2988 (comment).

I have submitted a new one to surpass this PR: #3420

@unbeatablekb
Your contribution is still counted.