www/nginx: SNI proxying (#1747)

2026-06-03 22:08:11 -04:00 · 2020-03-22 11:02:45 +01:00 · 2020-03-22 11:02:45 +01:00 · 0186f548f8
commit 0186f548f8
parent b706df5e97
4 changed files with 20 additions and 3 deletions
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@ -10,6 +10,7 @@ Plugin Changelog

 1.19

+* Add possibility to configure SNI proxying.
 * Display NAXSI rule ID in volt

 1.18
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@ -242,6 +242,13 @@
    <advanced>true</advanced>
    <help>Enter a custom timout between data received from the client after which the connection is closed.</help>
  </field>
+  <field>
+    <id>location.proxy_ssl_server_name</id>
+    <label>TLS SNI Forwarding</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help>Check this box, if you want the client SNI header to be used instead of your backend hostname. This settings overrides the configured hostname in the upstream configuration.</help>
+  </field>
  <field>
    <id>location.proxy_buffer_size</id>
    <label>Proxy Buffer Size (kB)</label>
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@ -1,6 +1,6 @@
 <model>
  <mount>//OPNsense/Nginx</mount>
-  <version>1.17.0</version>
+  <version>1.19.0</version>
  <description>nginx web server, reverse proxy and waf</description>
  <items>
    <general>
@ -460,6 +460,10 @@
        <Required>N</Required>
        <MinimumValue>0</MinimumValue>
      </proxy_max_temp_file_size>
+      <proxy_ssl_server_name type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </proxy_ssl_server_name>
    </location>

    <custom_policy type="ArrayField">
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@ -174,9 +174,14 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
    proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
    proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
 {%     endif %}
-{%     if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
+{%     if location.proxy_ssl_server_name is defined and location.proxy_ssl_server_name == '1' %}
+    proxy_ssl_server_name on;
+{%     else %}
+    proxy_ssl_server_name off;
+{%         if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
    proxy_ssl_name {{ upstream.tls_name_override }};
-{%     endif %}
+{%         endif %}
+{%     endif%}
 {%     if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
    proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
 {%     endif %}