Extensions: Network filter to forward SNI from the downstream TLS connection to the upstream TLS connection

CODEOWNERS

@@ -3,7 +3,7 @@
 #*       @envoyproxy/maintainers
 
 # dubbo_proxy extension
-/*/extensions/filters/network/dubbo_proxy @zyfjeff @lizan 
+/*/extensions/filters/network/dubbo_proxy @zyfjeff @lizan
 # thrift_proxy extension
 /*/extensions/filters/network/thrift_proxy @zuercher @brian-pane
 # jwt_authn http filter extension
@@ -14,3 +14,5 @@
 /*/extensions/transport_sockets/alts @htuch @yangminzhu
 # sni_cluster extension
 /*/extensions/filters/network/sni_cluster @rshriram @lizan
+#  extension
+/*/extensions/filters/network/forward_original_sni @lizan

docs/root/configuration/network_filters/forward_original_sni.rst

@@ -0,0 +1,14 @@
+.. _config_network_filters_forward_original_sni:
+
+Forward Original SNI
+=========================
+
+The `forward_original_sni` is a network filter that instructs other filters,
+such as `tcp_proxy`, to forward the SNI value from the downstream connection
+to the upstream connection. The filter will do nothing for non-TLS connections or
+for TLS connections without SNI.
+
+This filter has no configuration. It must be installed before the
+:ref:`tcp_proxy <config_network_filters_tcp_proxy>` filter.
+
+* :ref:`v2 API reference <envoy_api_field_listener.Filter.name>`

docs/root/configuration/network_filters/network_filters.rst

@@ -20,3 +20,4 @@ filters.
   tcp_proxy_filter
   thrift_proxy_filter
   sni_cluster_filter
+  forward_original_sni

docs/root/configuration/network_filters/tcp_proxy_filter.rst

@@ -18,6 +18,14 @@ implementation for the details.
 
 .. _config_network_filters_tcp_proxy_stats:
 
+Setting SNI
+-----------
+
+If `forward_original_sni` filter is installed, the TCP proxy filter will
+override the value in the `sni` field of
+:ref:`UpstreamTlsContext <envoy_api_msg_auth.UpstreamTlsContext>` of the
+upstream cluster by the SNI value from the downstream TLS connection.
+
 Statistics
 ----------
 

docs/root/intro/arch_overview/ssl.rst

@@ -18,7 +18,7 @@ requirements (TLS1.2, SNI, etc.). Envoy supports the following TLS features:
   (CRL) if one is :ref:`provided <envoy_api_field_auth.CertificateValidationContext.crl>`.
 * **ALPN**: TLS listeners support ALPN. The HTTP connection manager uses this information (in
   addition to protocol inference) to determine whether a client is speaking HTTP/1.1 or HTTP/2.
-* **SNI**: SNI is supported for both server (listener) and client (upstream) connections.
+* **SNI**: SNI is supported for both server (listener) and client (upstream) connections, including forwarding the SNI value from the downstream connection to the upstream one.
 * **Session resumption**: Server connections support resuming previous sessions via TLS session
   tickets (see `RFC 5077 <https://www.ietf.org/rfc/rfc5077.txt>`_). Resumption can be performed
   across hot restarts and between parallel Envoy instances (typically useful in a front proxy

docs/root/intro/version_history.rst

@@ -43,6 +43,8 @@ Version history
 * tracing: added support to the Zipkin tracer for the :ref:`b3 <config_http_conn_man_headers_b3>` single header format.
 * upstream: changed how load calculation for :ref:`priority levels<arch_overview_load_balancing_priority_levels>` and :ref:`panic thresholds<arch_overview_load_balancing_panic_threshold>` interact. As long as normalized total health is 100% panic thresholds are disregarded.
 * upstream: changed the default hash for :ref:`ring hash <envoy_api_msg_Cluster.RingHashLbConfig>` from std::hash to `xxHash <https://github.com/Cyan4973/xxHash>`_.
+* network: introduced :ref:`forward_original_sni <config_network_filters_forward_original_sni>` network filter that instructs `tcp_proxy` to forward the SNI value from the downstream TLS connection to the upstream TLS connection. If `forward_original_sni` is installed, `tcp_proxy` will override the value in the `sni` field of :ref:`UpstreamTlsContext <envoy_api_msg_auth.UpstreamTlsContext>` of
+  the upstream cluster by the SNI value from the downstream connection.
 
 1.8.0 (Oct 4, 2018)
 ===================

include/envoy/network/transport_socket.h

@@ -4,6 +4,8 @@
 #include "envoy/common/pure.h"
 #include "envoy/ssl/connection.h"
 
+#include "absl/types/optional.h"
+
 namespace Envoy {
 namespace Network {
 
@@ -149,9 +151,12 @@ class TransportSocketFactory {
   virtual bool implementsSecureTransport() const PURE;
 
   /**
+   * @param override_server_name set server name, disregard the value the factory was
+   * configured with
    * @return Network::TransportSocketPtr a transport socket to be passed to connection.
    */
-  virtual TransportSocketPtr createTransportSocket() const PURE;
+  virtual TransportSocketPtr
+  createTransportSocket(absl::optional<std::string> override_server_name) const PURE;
 };
 
 typedef std::unique_ptr<TransportSocketFactory> TransportSocketFactoryPtr;

include/envoy/upstream/cluster_manager.h

@@ -131,9 +131,10 @@ class ClusterManager {
    * Can return nullptr if there is no host available in the cluster or if the cluster does not
    * exist.
    */
-  virtual Tcp::ConnectionPool::Instance* tcpConnPoolForCluster(const std::string& cluster,
-                                                               ResourcePriority priority,
-                                                               LoadBalancerContext* context) PURE;
+  virtual Tcp::ConnectionPool::Instance*
+  tcpConnPoolForCluster(const std::string& cluster, ResourcePriority priority,
+                        LoadBalancerContext* context,
+                        absl::optional<std::string> override_server_name) PURE;
 
   /**
    * Allocate a load balanced TCP connection for a cluster. The created connection is already
@@ -143,8 +144,9 @@ class ClusterManager {
    * Returns both a connection and the host that backs the connection. Both can be nullptr if there
    * is no host available in the cluster.
    */
-  virtual Host::CreateConnectionData tcpConnForCluster(const std::string& cluster,
-                                                       LoadBalancerContext* context) PURE;
+  virtual Host::CreateConnectionData
+  tcpConnForCluster(const std::string& cluster, LoadBalancerContext* context,
+                    absl::optional<std::string> override_server_name) PURE;
 
   /**
    * Returns a client that can be used to make async HTTP calls against the given cluster. The
@@ -271,7 +273,8 @@ class ClusterManagerFactory {
   virtual Tcp::ConnectionPool::InstancePtr
   allocateTcpConnPool(Event::Dispatcher& dispatcher, HostConstSharedPtr host,
                       ResourcePriority priority,
-                      const Network::ConnectionSocket::OptionsSharedPtr& options) PURE;
+                      const Network::ConnectionSocket::OptionsSharedPtr& options,
+                      absl::optional<std::string> override_server_name) PURE;
 
   /**
    * Allocate a cluster from configuration proto.

include/envoy/upstream/upstream.h

@@ -73,7 +73,8 @@ class Host : virtual public HostDescription {
    */
   virtual CreateConnectionData
   createConnection(Event::Dispatcher& dispatcher,
-                   const Network::ConnectionSocket::OptionsSharedPtr& options) const PURE;
+                   const Network::ConnectionSocket::OptionsSharedPtr& options,
+                   absl::optional<std::string> override_server_name) const PURE;
 
   /**
    * Create a health check connection for this host.

source/common/http/http1/conn_pool.cc

@@ -316,7 +316,7 @@ ConnPoolImpl::ActiveClient::ActiveClient(ConnPoolImpl& parent)
   parent_.conn_connect_ms_ = std::make_unique<Stats::Timespan>(
       parent_.host_->cluster().stats().upstream_cx_connect_ms_, parent_.dispatcher_.timeSystem());
   Upstream::Host::CreateConnectionData data =
-      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_);
+      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_, absl::nullopt);
   real_host_description_ = data.host_description_;
   codec_client_ = parent_.createCodecClient(data);
   codec_client_->addConnectionCallbacks(*this);

source/common/http/http2/conn_pool.cc

@@ -223,7 +223,7 @@ ConnPoolImpl::ActiveClient::ActiveClient(ConnPoolImpl& parent)
   parent_.conn_connect_ms_ = std::make_unique<Stats::Timespan>(
       parent_.host_->cluster().stats().upstream_cx_connect_ms_, parent_.dispatcher_.timeSystem());
   Upstream::Host::CreateConnectionData data =
-      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_);
+      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_, absl::nullopt);
   real_host_description_ = data.host_description_;
   client_ = parent_.createCodecClient(data);
   client_->addConnectionCallbacks(*this);

source/common/network/raw_buffer_socket.cc

@@ -82,7 +82,8 @@ std::string RawBufferSocket::protocol() const { return EMPTY_STRING; }
 
 void RawBufferSocket::onConnected() { callbacks_->raiseEvent(ConnectionEvent::Connected); }
 
-TransportSocketPtr RawBufferSocketFactory::createTransportSocket() const {
+TransportSocketPtr
+RawBufferSocketFactory::createTransportSocket(absl::optional<std::string>) const {
   return std::make_unique<RawBufferSocket>();
 }
 

source/common/network/raw_buffer_socket.h

@@ -29,7 +29,8 @@ class RawBufferSocket : public TransportSocket, protected Logger::Loggable<Logge
 class RawBufferSocketFactory : public TransportSocketFactory {
 public:
   // Network::TransportSocketFactory
-  TransportSocketPtr createTransportSocket() const override;
+  TransportSocketPtr
+  createTransportSocket(absl::optional<std::string> override_server_name) const override;
   bool implementsSecureTransport() const override;
 };
 

source/common/ssl/context_impl.cc

@@ -275,7 +275,7 @@ std::vector<uint8_t> ContextImpl::parseAlpnProtocols(const std::string& alpn_pro
   return out;
 }
 
-bssl::UniquePtr<SSL> ContextImpl::newSsl() const {
+bssl::UniquePtr<SSL> ContextImpl::newSsl(absl::optional<std::string>) const {
   return bssl::UniquePtr<SSL>(SSL_new(ctx_.get()));
 }
 
@@ -498,11 +498,15 @@ ClientContextImpl::ClientContextImpl(Stats::Scope& scope, const ClientContextCon
   }
 }
 
-bssl::UniquePtr<SSL> ClientContextImpl::newSsl() const {
-  bssl::UniquePtr<SSL> ssl_con(ContextImpl::newSsl());
+bssl::UniquePtr<SSL>
+ClientContextImpl::newSsl(absl::optional<std::string> override_server_name) const {
+  bssl::UniquePtr<SSL> ssl_con(ContextImpl::newSsl(absl::nullopt));
 
-  if (!server_name_indication_.empty()) {
-    int rc = SSL_set_tlsext_host_name(ssl_con.get(), server_name_indication_.c_str());
+  std::string server_name_indication =
+      override_server_name.has_value() ? override_server_name.value() : server_name_indication_;
+
+  if (!server_name_indication.empty()) {
+    int rc = SSL_set_tlsext_host_name(ssl_con.get(), server_name_indication.c_str());
     RELEASE_ASSERT(rc, "");
   }
 

source/common/ssl/context_impl.h

@@ -11,6 +11,7 @@
 
 #include "common/ssl/context_manager_impl.h"
 
+#include "absl/types/optional.h"
 #include "openssl/ssl.h"
 
 namespace Envoy {
@@ -41,7 +42,7 @@ struct SslStats {
 
 class ContextImpl : public virtual Context {
 public:
-  virtual bssl::UniquePtr<SSL> newSsl() const;
+  virtual bssl::UniquePtr<SSL> newSsl(absl::optional<std::string> override_server_name) const;
 
   /**
    * Logs successful TLS handshake and updates stats.
@@ -142,7 +143,7 @@ class ClientContextImpl : public ContextImpl, public ClientContext {
   ClientContextImpl(Stats::Scope& scope, const ClientContextConfig& config,
                     TimeSource& time_source);
 
-  bssl::UniquePtr<SSL> newSsl() const override;
+  bssl::UniquePtr<SSL> newSsl(absl::optional<std::string> override_server_name) const override;
 
 private:
   const std::string server_name_indication_;

source/common/ssl/ssl_socket.cc

@@ -35,8 +35,9 @@ class NotReadySslSocket : public Network::TransportSocket {
 };
 } // namespace
 
-SslSocket::SslSocket(ContextSharedPtr ctx, InitialState state)
-    : ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)), ssl_(ctx_->newSsl()) {
+SslSocket::SslSocket(ContextSharedPtr ctx, InitialState state,
+                     absl::optional<std::string> override_server_name)
+    : ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)), ssl_(ctx_->newSsl(override_server_name)) {
   if (state == InitialState::Client) {
     SSL_set_connect_state(ssl_.get());
   } else {
@@ -370,7 +371,8 @@ ClientSslSocketFactory::ClientSslSocketFactory(ClientContextConfigPtr config,
   config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); });
 }
 
-Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() const {
+Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket(
+    absl::optional<std::string> override_server_name) const {
   // onAddOrUpdateSecret() could be invoked in the middle of checking the existence of ssl_ctx and
   // creating SslSocket using ssl_ctx. Capture ssl_ctx_ into a local variable so that we check and
   // use the same ssl_ctx to create SslSocket.
@@ -380,7 +382,8 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket() cons
     ssl_ctx = ssl_ctx_;
   }
   if (ssl_ctx) {
-    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Client);
+    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Client,
+                                            override_server_name);
   } else {
     ENVOY_LOG(debug, "Create NotReadySslSocket");
     stats_.upstream_context_secrets_not_ready_.inc();
@@ -409,7 +412,8 @@ ServerSslSocketFactory::ServerSslSocketFactory(ServerContextConfigPtr config,
   config_->setSecretUpdateCallback([this]() { onAddOrUpdateSecret(); });
 }
 
-Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() const {
+Network::TransportSocketPtr
+ServerSslSocketFactory::createTransportSocket(absl::optional<std::string>) const {
   // onAddOrUpdateSecret() could be invoked in the middle of checking the existence of ssl_ctx and
   // creating SslSocket using ssl_ctx. Capture ssl_ctx_ into a local variable so that we check and
   // use the same ssl_ctx to create SslSocket.
@@ -419,7 +423,8 @@ Network::TransportSocketPtr ServerSslSocketFactory::createTransportSocket() cons
     ssl_ctx = ssl_ctx_;
   }
   if (ssl_ctx) {
-    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Server);
+    return std::make_unique<Ssl::SslSocket>(std::move(ssl_ctx), Ssl::InitialState::Server,
+                                            absl::nullopt);
   } else {
     ENVOY_LOG(debug, "Create NotReadySslSocket");
     stats_.downstream_context_secrets_not_ready_.inc();

source/common/ssl/ssl_socket.h

@@ -39,7 +39,8 @@ class SslSocket : public Network::TransportSocket,
                   public Connection,
                   protected Logger::Loggable<Logger::Id::connection> {
 public:
-  SslSocket(ContextSharedPtr ctx, InitialState state);
+  SslSocket(ContextSharedPtr ctx, InitialState state,
+            absl::optional<std::string> override_server_name);
 
   // Ssl::Connection
   bool peerCertificatePresented() const override;
@@ -87,7 +88,8 @@ class ClientSslSocketFactory : public Network::TransportSocketFactory,
   ClientSslSocketFactory(ClientContextConfigPtr config, Ssl::ContextManager& manager,
                          Stats::Scope& stats_scope);
 
-  Network::TransportSocketPtr createTransportSocket() const override;
+  Network::TransportSocketPtr
+  createTransportSocket(absl::optional<std::string> override_server_name) const override;
   bool implementsSecureTransport() const override;
 
   // Secret::SecretCallbacks
@@ -109,7 +111,8 @@ class ServerSslSocketFactory : public Network::TransportSocketFactory,
   ServerSslSocketFactory(ServerContextConfigPtr config, Ssl::ContextManager& manager,
                          Stats::Scope& stats_scope, const std::vector<std::string>& server_names);
 
-  Network::TransportSocketPtr createTransportSocket() const override;
+  Network::TransportSocketPtr
+  createTransportSocket(absl::optional<std::string> override_server_name) const override;
   bool implementsSecureTransport() const override;
 
   // Secret::SecretCallbacks

source/common/stream_info/BUILD

@@ -27,6 +27,15 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "forward_requested_server_name_lib",
+    srcs = ["forward_requested_server_name.cc"],
+    hdrs = ["forward_requested_server_name.h"],
+    deps = [
+        "//include/envoy/stream_info:filter_state_interface",
+    ],
+)
+
 envoy_cc_library(
     name = "utility_lib",
     srcs = ["utility.cc"],

source/common/stream_info/forward_requested_server_name.cc

@@ -0,0 +1,10 @@
+#include "common/stream_info/forward_requested_server_name.h"
+
+namespace Envoy {
+namespace StreamInfo {
+
+const std::string ForwardRequestedServerName::Key =
+    "envoy.stream_info.forward_requested_server_name";
+
+} // namespace StreamInfo
+} // namespace Envoy

source/common/stream_info/forward_requested_server_name.h

@@ -0,0 +1,24 @@
+#pragma once
+
+#include "envoy/stream_info/filter_state.h"
+
+#include "absl/strings/string_view.h"
+
+namespace Envoy {
+namespace StreamInfo {
+
+/**
+ * Original Requested Server Name
+ */
+class ForwardRequestedServerName : public FilterState::Object {
+public:
+  ForwardRequestedServerName(absl::string_view server_name) : server_name_(server_name) {}
+  const std::string& value() const { return server_name_; }
+  static const std::string Key;
+
+private:
+  const std::string server_name_;
+};
+
+} // namespace StreamInfo
+} // namespace Envoy

source/common/tcp/conn_pool.cc

@@ -11,8 +11,10 @@ namespace Tcp {
 
 ConnPoolImpl::ConnPoolImpl(Event::Dispatcher& dispatcher, Upstream::HostConstSharedPtr host,
                            Upstream::ResourcePriority priority,
-                           const Network::ConnectionSocket::OptionsSharedPtr& options)
+                           const Network::ConnectionSocket::OptionsSharedPtr& options,
+                           absl::optional<std::string> override_server_name)
     : dispatcher_(dispatcher), host_(host), priority_(priority), socket_options_(options),
+      override_server_name_(override_server_name),
       upstream_ready_timer_(dispatcher_.createTimer([this]() { onUpstreamReady(); })) {}
 
 ConnPoolImpl::~ConnPoolImpl() {
@@ -356,8 +358,8 @@ ConnPoolImpl::ActiveConn::ActiveConn(ConnPoolImpl& parent)
   parent_.conn_connect_ms_ = std::make_unique<Stats::Timespan>(
       parent_.host_->cluster().stats().upstream_cx_connect_ms_, parent_.dispatcher_.timeSystem());
 
-  Upstream::Host::CreateConnectionData data =
-      parent_.host_->createConnection(parent_.dispatcher_, parent_.socket_options_);
+  Upstream::Host::CreateConnectionData data = parent_.host_->createConnection(
+      parent_.dispatcher_, parent_.socket_options_, parent_.override_server_name_);
   real_host_description_ = data.host_description_;
 
   conn_ = std::move(data.connection_);