How do I configure SNI for listeners?

SNI is only supported in the v3 configuration/API.

Attention

TLS Inspector listener filter must be configured in order to detect requested SNI.

The following is a YAML example of the above requirement.

  1. address:
  2.   socket_address: { address: 127.0.0.1, port_value: 1234 }
  3. listener_filters:
  4. - name: "envoy.filters.listener.tls_inspector"
  5. filter_chains:
  6. - filter_chain_match:
  7.     server_names: ["example.com", "www.example.com"]
  8.   transport_socket:
  9.     name: envoy.transport_sockets.tls
  10.     typed_config:
  11.       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
  12.       common_tls_context:
  13.         tls_certificates:
  14.         - certificate_chain: { filename: "example_com_cert.pem" }
  15.           private_key: { filename: "example_com_key.pem" }
  16.   filters:
  17.   - name: envoy.filters.network.http_connection_manager
  18.     typed_config:
  19.       "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
  20.       stat_prefix: ingress_http
  21.       route_config:
  22.         virtual_hosts:
  23.         - name: default
  24.           domains: "*"
  25.           routes:
  26.           - match: { prefix: "/" }
  27.             route: { cluster: service_foo }
  28. - filter_chain_match:
  29.     server_names: "api.example.com"
  30.   transport_socket:
  31.     name: envoy.transport_sockets.tls
  32.     typed_config:
  33.       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
  34.       common_tls_context:
  35.         tls_certificates:
  36.         - certificate_chain: { filename: "api_example_com_cert.pem" }
  37.           private_key: { filename: "api_example_com_key.pem" }
  38.   filters:
  39.   - name: envoy.filters.network.http_connection_manager
  40.     typed_config:
  41.       "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
  42.       stat_prefix: ingress_http
  43.       route_config:
  44.         virtual_hosts:
  45.         - name: default
  46.           domains: "*"
  47.           routes:
  48.           - match: { prefix: "/" }
  49.             route: { cluster: service_foo }

How do I configure SNI for clusters?

For clusters, a fixed SNI can be set in UpstreamTlsContext. To derive SNI from a downstream HTTP header like, host or :authority, turn on auto_sni to override the fixed SNI in UpstreamTlsContext. A custom header other than the host or :authority can also be supplied using the optional override_auto_sni_header field. If upstream will present certificates with the hostname in SAN, turn on auto_san_validation too. It still needs a trust CA in validation context in UpstreamTlsContext for trust anchor.