From 141ea59b7fd3bef75a5821f8568eb1baa8011cd9 Mon Sep 17 00:00:00 2001
From: schaefec <chrisse.s@googlemail.com>
Date: Fri, 4 Oct 2019 08:19:31 +0100
Subject: [PATCH 1/3]  Allows overriding the server name used to verify the
 certificate of the proxied HTTPS server

---
 .../user-guide/nginx-configuration/annotations.md |  3 +++
 internal/ingress/annotations/proxyssl/main.go     | 15 +++++++++++----
 .../ingress/annotations/proxyssl/main_test.go     |  5 +++++
 rootfs/etc/nginx/template/nginx.tmpl              |  3 +++
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
index 05c7f360a..74d3ee1ea 100755
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@@ -73,6 +73,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/proxy-http-version](#proxy-http-version)|"1.0" or "1.1"|
 |[nginx.ingress.kubernetes.io/proxy-ssl-secret](#backend-certificate-authentication)|string|
 |[nginx.ingress.kubernetes.io/proxy-ssl-ciphers](#backend-certificate-authentication)|string|
+|[nginx.ingress.kubernetes.io/proxy-ssl-name](#backend-certificate-authentication)|string|
 |[nginx.ingress.kubernetes.io/proxy-ssl-protocols](#backend-certificate-authentication)|string|
 |[nginx.ingress.kubernetes.io/proxy-ssl-verify](#backend-certificate-authentication)|string|
 |[nginx.ingress.kubernetes.io/proxy-ssl-verify-depth](#backend-certificate-authentication)|number|
@@ -274,6 +275,8 @@ It is possible to authenticate to a proxied HTTPS backend with certificate using
   Sets the verification depth in the proxied HTTPS server certificates chain. (default: 1)
 * `nginx.ingress.kubernetes.io/proxy-ssl-ciphers`:
   Specifies the enabled [ciphers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_ciphers) for requests to a proxied HTTPS server. The ciphers are specified in the format understood by the OpenSSL library.
+* `nginx.ingress.kubernetes.io/proxy-ssl-name`:
+  Allows to set [proxy_ssl_name](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_name). This allows overriding the server name used to verify the certificate of the proxied HTTPS server. This value is also passed through SNI when a connection is established to the proxied HTTPS server.
 * `nginx.ingress.kubernetes.io/proxy-ssl-protocols`:
   Enables the specified [protocols](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_protocols) for requests to a proxied HTTPS server.
 
diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
index 461745893..eb44ae803 100644
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@@ -45,10 +45,11 @@ var (
 // and the configured VerifyDepth
 type Config struct {
 	resolver.AuthSSLCert
-	Ciphers     string `json:"ciphers"`
-	Protocols   string `json:"protocols"`
-	Verify      string `json:"verify"`
-	VerifyDepth int    `json:"verifyDepth"`
+	Ciphers                   string `json:"ciphers"`
+	Protocols                 string `json:"protocols"`
+	ProxySSLName              string `json:"proxySSLName"`
+	Verify                    string `json:"verify"`
+	VerifyDepth               int    `json:"verifyDepth"`
 }
 
 // Equal tests for equality between two Config types
@@ -143,6 +144,12 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.Protocols = sortProtocols(config.Protocols)
 	}
 
+	config.ProxySSLName, err = parser.GetStringAnnotation("proxy-ssl-name", ing)
+	if err != nil {
+		e := errors.Wrap(err, "error obtaining proxy-ssl-name")
+		return &Config{}, ing_errors.LocationDenied{Reason: e}
+	}
+
 	config.Verify, err = parser.GetStringAnnotation("proxy-ssl-verify", ing)
 	if err != nil || !proxySSLOnOffRegex.MatchString(config.Verify) {
 		config.Verify = defaultProxySSLVerify
diff --git a/internal/ingress/annotations/proxyssl/main_test.go b/internal/ingress/annotations/proxyssl/main_test.go
index 37279a550..5f63c992e 100644
--- a/internal/ingress/annotations/proxyssl/main_test.go
+++ b/internal/ingress/annotations/proxyssl/main_test.go
@@ -94,6 +94,7 @@ func TestAnnotations(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "off"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "3"
+	data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "testname.namespace"
 
 	ing.SetAnnotations(data)
 
@@ -128,6 +129,10 @@ func TestAnnotations(t *testing.T) {
 	if u.VerifyDepth != 3 {
 		t.Errorf("expected %v but got %v", 3, u.VerifyDepth)
 	}
+	if u.ProxySSLName != "testname.namespace" {
+		t.Errorf("expected %v but got %v", "testname.namespace", u.ProxySSLName)
+	}
+
 }
 
 func TestInvalidAnnotations(t *testing.T) {
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 655632479..47c91341b 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -813,6 +813,9 @@ stream {
         proxy_ssl_protocols                     {{ $server.ProxySSL.Protocols }};
         proxy_ssl_verify                        {{ $server.ProxySSL.Verify }};
         proxy_ssl_verify_depth                  {{ $server.ProxySSL.VerifyDepth }};
+        {{ if not (empty $server.ProxySSL.ProxySSLName) }}
+        proxy_ssl_name                           {{ $server.ProxySSL.ProxySSLName }};
+        {{ end }}        
         {{ end }}
 
         {{ if not (empty $server.ProxySSL.PemFileName) }}

From 0ab2e72e95b27e0880280faf23db699518375c9b Mon Sep 17 00:00:00 2001
From: schaefec <chrisse.s@googlemail.com>
Date: Wed, 16 Oct 2019 15:35:49 +0100
Subject: [PATCH 2/3] Doesn't fail if proxy-ssl-name annotation is not
 specified

---
 internal/ingress/annotations/proxyssl/main.go      | 13 ++++++-------
 internal/ingress/annotations/proxyssl/main_test.go |  5 ++---
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
index eb44ae803..51fd1eff7 100644
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@@ -45,11 +45,11 @@ var (
 // and the configured VerifyDepth
 type Config struct {
 	resolver.AuthSSLCert
-	Ciphers                   string `json:"ciphers"`
-	Protocols                 string `json:"protocols"`
-	ProxySSLName              string `json:"proxySSLName"`
-	Verify                    string `json:"verify"`
-	VerifyDepth               int    `json:"verifyDepth"`
+	Ciphers      string `json:"ciphers"`
+	Protocols    string `json:"protocols"`
+	ProxySSLName string `json:"proxySSLName"`
+	Verify       string `json:"verify"`
+	VerifyDepth  int    `json:"verifyDepth"`
 }
 
 // Equal tests for equality between two Config types
@@ -146,8 +146,7 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
 
 	config.ProxySSLName, err = parser.GetStringAnnotation("proxy-ssl-name", ing)
 	if err != nil {
-		e := errors.Wrap(err, "error obtaining proxy-ssl-name")
-		return &Config{}, ing_errors.LocationDenied{Reason: e}
+		config.ProxySSLName = ""
 	}
 
 	config.Verify, err = parser.GetStringAnnotation("proxy-ssl-verify", ing)
diff --git a/internal/ingress/annotations/proxyssl/main_test.go b/internal/ingress/annotations/proxyssl/main_test.go
index 5f63c992e..1c35ed683 100644
--- a/internal/ingress/annotations/proxyssl/main_test.go
+++ b/internal/ingress/annotations/proxyssl/main_test.go
@@ -94,7 +94,6 @@ func TestAnnotations(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "off"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "3"
-	data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "testname.namespace"
 
 	ing.SetAnnotations(data)
 
@@ -129,8 +128,8 @@ func TestAnnotations(t *testing.T) {
 	if u.VerifyDepth != 3 {
 		t.Errorf("expected %v but got %v", 3, u.VerifyDepth)
 	}
-	if u.ProxySSLName != "testname.namespace" {
-		t.Errorf("expected %v but got %v", "testname.namespace", u.ProxySSLName)
+	if u.ProxySSLName != "$host" {
+		t.Errorf("expected %v but got %v", "$host", u.ProxySSLName)
 	}
 
 }

From 2de30bf451f6dd9b14fd589447309e7553b103b8 Mon Sep 17 00:00:00 2001
From: Laszlo Janosi <laszlo.janosi@ibm.com>
Date: Tue, 25 Feb 2020 13:52:34 +0100
Subject: [PATCH 3/3] Add proxy-ssl-name to location level

---
 rootfs/etc/nginx/template/nginx.tmpl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 47c91341b..1fbace0c4 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1237,6 +1237,10 @@ stream {
             proxy_ssl_verify_depth                  {{ $location.ProxySSL.VerifyDepth }};
             {{ end }}
 
+            {{ if not (empty $location.ProxySSL.ProxySSLName) }}
+            proxy_ssl_name                           {{ $location.ProxySSL.ProxySSLName }};
+            {{ end }}
+
             {{ if not (empty $location.ProxySSL.PemFileName) }}
             proxy_ssl_certificate                   {{ $location.ProxySSL.PemFileName }};
             proxy_ssl_certificate_key               {{ $location.ProxySSL.PemFileName }};