From 0186f548f8d116ce171179f602a659cd14211ae4 Mon Sep 17 00:00:00 2001
From: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
Date: Sun, 22 Mar 2020 11:02:45 +0100
Subject: [PATCH] www/nginx: SNI proxying (#1747)

---
 www/nginx/pkg-descr                                      | 1 +
 .../app/controllers/OPNsense/Nginx/forms/location.xml    | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 6 +++++-
 .../service/templates/OPNsense/Nginx/location.conf       | 9 +++++++--
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index a23083ed2..71fe052e5 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 1.19
 
+* Add possibility to configure SNI proxying.
 * Display NAXSI rule ID in volt
 
 1.18
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index b4b76dd60..05adce938 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -242,6 +242,13 @@
     <advanced>true</advanced>
     <help>Enter a custom timout between data received from the client after which the connection is closed.</help>
   </field>
+  <field>
+    <id>location.proxy_ssl_server_name</id>
+    <label>TLS SNI Forwarding</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help>Check this box, if you want the client SNI header to be used instead of your backend hostname. This settings overrides the configured hostname in the upstream configuration.</help>
+  </field>
   <field>
     <id>location.proxy_buffer_size</id>
     <label>Proxy Buffer Size (kB)</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 06a471a39..f81fbcdcf 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.17.0</version>
+  <version>1.19.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -460,6 +460,10 @@
         <Required>N</Required>
         <MinimumValue>0</MinimumValue>
       </proxy_max_temp_file_size>
+      <proxy_ssl_server_name type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </proxy_ssl_server_name>
     </location>
 
     <custom_policy type="ArrayField">
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 197cde8ce..b4482c537 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -174,9 +174,14 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
     proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
 {%     endif %}
-{%     if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
+{%     if location.proxy_ssl_server_name is defined and location.proxy_ssl_server_name == '1' %}
+    proxy_ssl_server_name on;
+{%     else %}
+    proxy_ssl_server_name off;
+{%         if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
     proxy_ssl_name {{ upstream.tls_name_override }};
-{%     endif %}
+{%         endif %}
+{%     endif%}
 {%     if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
     proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
 {%     endif %}