SNI Wildcard-ing


#1

I’m not sure this belongs here, but I saw a previous issue
https://github.com/Kong/kong/issues/3238
directed a request be opened here. With TLS certificate wildcard-ing in general and wildcard host matching for Routes within Kong already, this seems more an oversight than a new feature?

Regardless, requesting Kong allow wildcard matching of SNI values for TLS certificates when proxying request traffic. This will alleviate the need for enormous lists of SNI values for subdomains that are covered by a wildcard TLS certificate. Is there a reason to NOT support this (again, given that certificates support wildcards)?

Currently using Kong:0.14.0 - docker image with Postgres 9.5.


#2

I am in the same boat as you.

We decided to use Kong as our Edge proxy for our infrastructure. One part of this infrastructure is a Docker Swarm which we just want to proxy a wildcard domain. At the same time we want to terminate the SSL.

But it seems that it is not possible to terminate all requests to a wildcard domain without having to add all the subdomains as SNI’s. Seems like we have to back out and continue to use plain nginx as we are already doing now.


#3

We are using Kong within Docker Swarm (for now… looking at moving to Kubernetes).
One work around that I’m playing with right now is setting our wildcard cert as the “default”, locating it within the container and using

  -e "KONG_SSL_CERT=<PATH_TO_CERT>"
  -e "KONG_SSL_CERT_KEY=<PATH_TO_KEY>"

I don’t want to store our decrypted key (nor our encrypted cert/key if at all possible) in the image in our registry; so I’m playing with Swarm Secrets and looking at Kubernetes Secrets as well for possibly storing them securely. But I’d love to slim this down to just Kong configuration using a wildcard-based SNI (or, if I’m going REALLY wish list, regex-based SNI to possibly provide a bit of granularity) because database encryption should be sufficient.


#4

+1. same here, this would be a very useful feature. I don’t see a reason why this can’t be implemented.


#5

+1. same here, this would be a very useful feature. I don’t see a reason why this can’t be implemented.


#6

Resolved,open kong\runloop\certificate.lua ,add to the function find_certificate after line 23

–start
–by guantao 2018-11-14
if not row then
local _, index=string.find(sni_name, ‘%.’)
local domain = ‘*’…string.sub(sni_name, index);
row, err = singletons.db.snis:select_by_name(domain)
if err then
return nil, err
end
end
–end