You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: One line description
Description:
When I send a request that matches a filter chain, I see access logs: {"requested_server_name":"hello.example.com", ...}
However, if I send a request that does not match any filter chains: {"requested_server_name":null,...}
Repro steps:
Access log config, at the listener level:
My expectation is that the REQUESTED_SERVER_NAME field would be populated here. Given tls_inspector runs before we do filter chain matching, I would expect this information is available?
The text was updated successfully, but these errors were encountered:
I guess it's because ActiveTcpListener::newConnection didn't populate the REQUESTED_SERVER_NAME.
The logic is tricky there:
If a filter chain is selected, the transport socket in the chosen filter chain should populate the REQUESTED_SERVER_NAME. The value sniffed by tls_inspector should be ignored.
If no filter chain is selected, this server name should be populated with the best knowledge, namely what tls inspector sniffed.
By the way, real world case that impacted me: I was trying to debug no filter chain match. I concluded, based on log, that client does not set any SNI. However, it actually did, but set to one that did not match any filter chain. I was only able to figure this out by swapping envoy with mitmproxy
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: One line description
Description:
When I send a request that matches a filter chain, I see access logs:
{"requested_server_name":"hello.example.com", ...}
However, if I send a request that does not match any filter chains:
{"requested_server_name":null,...}
Repro steps:
Access log config, at the listener level:
My expectation is that the REQUESTED_SERVER_NAME field would be populated here. Given tls_inspector runs before we do filter chain matching, I would expect this information is available?
The text was updated successfully, but these errors were encountered: