Skip to content

Document change of fqdn field (sni.yaml) #11721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
masaori335 merged 1 commit into from
Aug 20, 2024
Merged

Document change of fqdn field (sni.yaml) #11721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 22 additions & 8 deletions doc/admin-guide/files/sni.yaml.en.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,26 @@ The following fields make up the key for each item in the configuration file.
========================= ========= ========================================================================================
Key Direction Meaning
========================= ========= ========================================================================================
fqdn Both Fully Qualified Domain Name.
fqdn Both Fully Qualified Domain Name. Matching depends on the order of entries (like :file:`remap.config`)

Wildcard Support:
1. Allow single left-most ``*``
2. Do NOT support regex
3. Allow ``$1`` (capturing) support in the ``tunnel_route`` field

For example:
Supported:
- ``*.example.com``
- ``*``

NOT Supported:
- ``foo[0-9]+.example.com`` (regex)
- ``bar.*.example.net`` (``*`` in the middle)
- ``*.bar.*.com`` (multiple ``*``)
- ``*.*.baz.com`` (multiple ``*``)
- ``baz*.example.net`` (partial wildcard)
- ``*baz.example.net`` (partial wildcard)
- ``b*z.example.net`` (partial wildcard)

inbound_port_ranges Inbound The port ranges for the inbound connection in the form ``port`` or
``min-max``.
Expand Down Expand Up @@ -237,9 +256,8 @@ quic Inbound Indicates whether QUIC connec
name. More broadly, you will also need to configure :ts:cv:`proxy.config.http.server_ports` to
open ports for QUIC.

tunnel_route Inbound Destination as an FQDN and port, separated by a colon ``:``.
Match group number can be specified by ``$N`` where N should refer to a specified group
in the FQDN, ``tunnel_route: $1.domain``.
tunnel_route Inbound Destination as an FQDN and port, separated by a colon ``:``. Capturing matched wildcard in
the ``fqdn`` field is supported by ``$1``. For example: ``tunnel_route: $1.domain``.

This will forward all traffic to the specified destination without first terminating
the incoming TLS connection.
Expand Down Expand Up @@ -408,13 +426,9 @@ Use FQDN captured group to match in ``tunnel_route``.
sni:
- fqdn: '*.foo.com'
tunnel_route: '$1.myfoo'
- fqdn: '*.bar.*.com'
tunnel_route: '$2.some.$1.yahoo'

FQDN ``some.foo.com`` will match and the captured string will be replaced in the ``tunnel_route`` which will end up being
``some.myfoo``.
Second part is using multiple groups, having ``bob.bar.example.com`` as FQDN, ``tunnel_route`` will end up being
``bar.some.bob.yahoo``.

Establish a blind tunnel to the backend server, connecting to the server's port with the destination port specified
in the Proxy Protocol from the inbound connection. Remember to add any expected values for ``{proxy_protocol_port}`` to
Expand Down
8 changes: 6 additions & 2 deletions doc/release-notes/upgrading.en.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,10 +184,14 @@ The following :file:`records.yaml` changes have been made:
The following changes have been made to the :file:`sni.yaml` file:

- ``disable_h2`` has been removed. Use ``http2`` with :code:`off` instead.
- The ``ip_allow`` key can now take a reference to a file containing the ip
allow rules
- The ``ip_allow`` key can now take a reference to a file containing the ip allow rules
- ``valid_tls_versions_in`` has been deprecated. Use ``valid_tls_version_min_in`` and ``valid_tls_version_max_in`` instead.
- Simplify wildcard support and matching order of the ``fqdn`` field

* Allow single left-most ``*``
* Do NOT support regex
* Allow ``$1`` (capturing) support in the ``tunnel_route`` field
* Matching depends on the order of entries (like :file:`remap.config`)

Plugins
-------
Expand Down