Add directive for SSL Server block (#1934)

Adds a directive for server's location block when BackendTLS is configured Problem: Users want to configure BackendTLS successfully with NGF. Solution: Adds a directive proxy_ssl_server_name on in the server location block to avoid connection resets during SSL handshake.
nginxinc · May 7, 2024 · 97c37e5 · 97c37e5
1 parent 5581a64
commit 97c37e5
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/internal/mode/static/nginx/config/servers_template.go b/internal/mode/static/nginx/config/servers_template.go
@@ -60,6 +60,7 @@ server {
         {{ $proxyOrGRPC }}_pass {{ $l.ProxyPass }};
         proxy_http_version 1.1;
             {{- if $l.ProxySSLVerify }}
+        {{ $proxyOrGRPC }}_ssl_server_name on;
         {{ $proxyOrGRPC }}_ssl_verify on;
         {{ $proxyOrGRPC }}_ssl_name {{ $l.ProxySSLVerify.Name }};
         {{ $proxyOrGRPC }}_ssl_trusted_certificate {{ $l.ProxySSLVerify.TrustedCertificate }};

diff --git a/internal/mode/static/nginx/config/servers_test.go b/internal/mode/static/nginx/config/servers_test.go
@@ -48,6 +48,32 @@ func TestExecuteServers(t *testing.T) {
 					KeyPairID: "test-keypair",
 				},
 				Port: 8443,
+				PathRules: []dataplane.PathRule{
+					{
+						Path:     "/",
+						PathType: dataplane.PathTypePrefix,
+						MatchRules: []dataplane.MatchRule{
+							{
+								Match: dataplane.Match{},
+								BackendGroup: dataplane.BackendGroup{
+									Source:  types.NamespacedName{Namespace: "test", Name: "route1"},
+									RuleIdx: 0,
+									Backends: []dataplane.Backend{
+										{
+											UpstreamName: "test_foo_443",
+											Valid:        true,
+											Weight:       1,
+											VerifyTLS: &dataplane.VerifyTLS{
+												CertBundleID: "test-foo",
+												Hostname:     "test-foo.example.com",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
 			},
 		},
 	}
@@ -61,6 +87,7 @@ func TestExecuteServers(t *testing.T) {
 		"server_name cafe.example.com;":                            2,
 		"ssl_certificate /etc/nginx/secrets/test-keypair.pem;":     2,
 		"ssl_certificate_key /etc/nginx/secrets/test-keypair.pem;": 2,
+		"proxy_ssl_server_name on;":                                1,
 	}
 	g := NewWithT(t)
 	serverResults := executeServers(conf)