ContextQMD
Back to Envoy

How do I configure SNI for listeners?

docs/root/faq/configuration/sni.rst

1.38.02.7 KB
Original Source

.. _faq_how_to_setup_sni:

How do I configure SNI for listeners?

SNI <https://en.wikipedia.org/wiki/Server_Name_Indication>_ is only supported in the :ref:v3 configuration/API <config_overview>.

.. attention::

:ref:TLS Inspector <config_listener_filters_tls_inspector> listener filter must be configured in order to detect requested SNI.

The following is a YAML example of the above requirement.

.. code-block:: yaml

address: socket_address: { address: 127.0.0.1, port_value: 1234 } listener_filters:

  • name: "envoy.filters.listener.tls_inspector" typed_config: "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector filter_chains:
  • filter_chain_match: server_names: ["example.com", "www.example.com"] transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - certificate_chain: { filename: "example_com_cert.pem" } private_key: { filename: "example_com_key.pem" } filters:
    • name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http route_config: virtual_hosts: - name: default domains: "*" routes: - match: { prefix: "/" } route: { cluster: service_foo }
  • filter_chain_match: server_names: "api.example.com" transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - certificate_chain: { filename: "api_example_com_cert.pem" } private_key: { filename: "api_example_com_key.pem" } filters:
    • name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http route_config: virtual_hosts: - name: default domains: "*" routes: - match: { prefix: "/" } route: { cluster: service_foo }

How do I configure SNI for clusters?

See :ref:SNI configuration <start_quick_start_securing_sni_client> and :ref:validation configuration <start_quick_start_securing_validation>.