How do I configure SNI for listeners?

SNI is only supported in the v2 configuration/API.

Attention

TLS Inspector listener filter must be configured in order to detect requested SNI.

The following is a YAML example of the above requirement.

  1. address:
  2. socket_address: { address: 127.0.0.1, port_value: 1234 }
  3. listener_filters:
  4. - name: "envoy.filters.listener.tls_inspector"
  5. typed_config: {}
  6. filter_chains:
  7. - filter_chain_match:
  8. server_names: ["example.com", "www.example.com"]
  9. transport_socket:
  10. name: envoy.transport_sockets.tls
  11. typed_config:
  12. "@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext
  13. common_tls_context:
  14. tls_certificates:
  15. - certificate_chain: { filename: "example_com_cert.pem" }
  16. private_key: { filename: "example_com_key.pem" }
  17. filters:
  18. - name: envoy.filters.network.http_connection_manager
  19. typed_config:
  20. "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
  21. stat_prefix: ingress_http
  22. route_config:
  23. virtual_hosts:
  24. - name: default
  25. domains: "*"
  26. routes:
  27. - match: { prefix: "/" }
  28. route: { cluster: service_foo }
  29. - filter_chain_match:
  30. server_names: "api.example.com"
  31. transport_socket:
  32. name: envoy.transport_sockets.tls
  33. typed_config:
  34. "@type": type.googleapis.com/envoy.api.v2.auth.DownstreamTlsContext
  35. common_tls_context:
  36. tls_certificates:
  37. - certificate_chain: { filename: "api_example_com_cert.pem" }
  38. private_key: { filename: "api_example_com_key.pem" }
  39. filters:
  40. - name: envoy.filters.network.http_connection_manager
  41. typed_config:
  42. "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
  43. stat_prefix: ingress_http
  44. route_config:
  45. virtual_hosts:
  46. - name: default
  47. domains: "*"
  48. routes:
  49. - match: { prefix: "/" }
  50. route: { cluster: service_foo }

How do I configure SNI for clusters?

For clusters, a fixed SNI can be set in UpstreamTlsContext. To derive SNI from HTTP host or :authority header, turn on auto_sni to override the fixed SNI in UpstreamTlsContext. If upstream will present certificates with the hostname in SAN, turn on auto_san_validation too. It still needs a trust CA in validation context in UpstreamTlsContext for trust anchor.