bneradt · bneradt · May 25, 2023 · May 31, 2023 · May 31, 2023 · Jun 1, 2023
diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst
@@ -27,7 +27,7 @@ Description
 
 This file is used to configure aspects of TLS connection handling for both inbound and outbound
 connections. With the exception of ``host_sni_policy`` (see the description below), the configuration is driven by the SNI values provided by the inbound connection. The
-file consists of a set of configuration items, each identified by an SNI value (``fqdn``).
+file consists of a set of configuration items, each identified by an SNI value and optionally a port range (``fqdn``, ``inbound_port_range``).
 When an inbound TLS connection is made, the SNI value from the TLS negotiation is matched against
 the items specified by this file and if there is a match, the values specified in that item override
 the defaults. This is done during the inbound connection processing; some outbound properties
@@ -52,11 +52,34 @@ for a more detailed description of HTTP/2 connection coalescing. A similar thing
 .. _override-host-sni-policy:
 .. _override-h2-properties:
 
+The following fields make up the key for each item in the configuration file.
+
 ========================= ========= ========================================================================================
 Key                       Direction Meaning
 ========================= ========= ========================================================================================
-fqdn                      Both      Fully Qualified Domain Name. This item is used if the SNI value matches this.
+fqdn                      Both      Fully Qualified Domain Name.
+
+inbound_port_range        Inbound   The port range for the inbound connection in the form ``port`` or
+                                    ``min-max``.
+
+                                    For example:
+
+                                       ``443``
+
+                                    would match all requests with an SNI for example.com on port 443, and
+
+                                       ``443-446``
+
+                                    would match requests with an SNI for example.com on ports 443 to 446, inclusive.
+                                    By default this is all ports.
 
+========================= ========= ========================================================================================
+
+The following fields are the directives that determine the behavior of connections matching the key.
+
+========================= ========= ========================================================================================
+Key                       Direction Meaning
+========================= ========= ========================================================================================
 ip_allow                  Inbound   Specify a list of client IP address, subnets, or ranges what are allowed to complete
                                     the connection. This list is comma separated. IPv4 and IPv6 addresses can be specified.
                                     Here is an example list ::

diff --git a/include/tscpp/util/ts_ip.h b/include/tscpp/util/ts_ip.h
@@ -22,12 +22,17 @@
 
 #pragma once
 
+#include <limits>
 #include <optional>
 
+#include "swoc/DiscreteRange.h"
 #include "swoc/swoc_ip.h"
 
 namespace ts
 {
+inline constexpr in_port_t MAX_PORT_VALUE{std::numeric_limits<in_port_t>::max()};
+using port_range_t = swoc::DiscreteRange<in_port_t>;
+
 /// Pair of addresses, each optional.
 /// Used in situations where both an IPv4 and IPv6 may be needed.
 class IPAddrPair

diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
@@ -97,7 +97,10 @@ test_UDPNet_SOURCES = \
 
 test_libinknet_SOURCES = \
 	libinknet_stub.cc \
-	unit_tests/test_ProxyProtocol.cc
+	unit_tests/unit_test_main.cc \
+	unit_tests/test_ProxyProtocol.cc \
+	unit_tests/test_SSLSNIConfig.cc \
+	unit_tests/test_YamlSNIConfig.cc
 
 test_libinknet_CPPFLAGS = \
 	$(AM_CPPFLAGS) \
@@ -108,6 +111,7 @@ test_libinknet_CPPFLAGS = \
 	-I$(abs_top_srcdir)/proxy/http \
 	-I$(abs_top_srcdir)/mgmt \
 	-I$(abs_top_srcdir)/mgmt/utils \
+	-DLIBINKNET_UNIT_TEST_DIR="$(abs_top_srcdir)/iocore/net/unit_tests" \
 	@OPENSSL_INCLUDES@
 
 test_libinknet_LDFLAGS = \

diff --git a/iocore/net/P_QUICNetVConnection_quiche.h b/iocore/net/P_QUICNetVConnection_quiche.h
@@ -50,6 +50,8 @@
 #include "quic/QUICContext.h"
 #include "quic/QUICStreamManager.h"
 #include "quic/QUICStreamManager_quiche.h"
+
+#include <netinet/in.h>
 #include <quiche.h>
 
 class QUICPacketHandler;
@@ -155,6 +157,7 @@ class QUICNetVConnection : public UnixNetVConnection,
 
   // TLSSNISupport
   void _fire_ssl_servername_event() override;
+  in_port_t _get_local_port() override;
 
   // TLSSessionResumptionSupport
   const IpEndpoint &_getLocalEndpoint() override;

diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
@@ -31,17 +31,8 @@
  ****************************************************************************/
 #pragma once
 
-#include <memory>
-
 #include "tscore/ink_platform.h"
 #include "ts/apidefs.h"
-#include <string_view>
-#include <cstring>
-#include <memory>
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/objects.h>
 
 #include "P_EventSystem.h"
 #include "P_UnixNetVConnection.h"
@@ -56,6 +47,15 @@
 #include "P_SSLUtils.h"
 #include "P_SSLConfig.h"
 
+#include <netinet/in.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+
+#include <cstring>
+#include <memory>
+#include <string_view>
+
 // These are included here because older OpenSSL libraries don't have them.
 // Don't copy these defines, or use their values directly, they are merely
 // here to avoid compiler errors.
@@ -408,7 +408,9 @@ class SSLNetVConnection : public UnixNetVConnection,
     return local_addr;
   }
 
+  // TLSSNISupport
   void _fire_ssl_servername_event() override;
+  in_port_t _get_local_port() override;
 
   bool _isTryingRenegotiation() const override;
   shared_SSL_CTX _lookupContextByName(const std::string &servername, SSLCertContextType ctxType) override;

diff --git a/iocore/net/QUICNetVConnection_quiche.cc b/iocore/net/QUICNetVConnection_quiche.cc
@@ -26,6 +26,8 @@
 #include "QUICMultiCertConfigLoader.h"
 #include "quic/QUICStream_quiche.h"
 #include "quic/QUICGlobals.h"
+
+#include <netinet/in.h>
 #include <quiche.h>
 
 static constexpr ink_hrtime WRITE_READY_INTERVAL = HRTIME_MSECONDS(2);
@@ -745,6 +747,12 @@ QUICNetVConnection::_fire_ssl_servername_event()
 {
 }
 
+in_port_t
+QUICNetVConnection::_get_local_port()
+{
+  return this->get_local_port();
+}
+
 const IpEndpoint &
 QUICNetVConnection::_getLocalEndpoint()
 {

diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
@@ -42,6 +42,8 @@
 #include "SSLStats.h"
 #include "P_ALPNSupport.h"
 
+#include <netinet/in.h>
+
 #include <string>
 #include <cstring>
 
@@ -1966,6 +1968,12 @@ SSLNetVConnection::_fire_ssl_servername_event()
   this->callHooks(TS_EVENT_SSL_SERVERNAME);
 }
 
+in_port_t
+SSLNetVConnection::_get_local_port()
+{
+  return this->get_local_port();
+}
+
 bool
 SSLNetVConnection::_isTryingRenegotiation() const
 {