Server Name Indication (SNI) support?
chgeuer opened this issue · 6 comments
Hi Mat, thanks a lot (!) for the great work on ThousandIslands and Bandit.
One question: did you ever stumble across server name indication (SNI) in regard to Bandit? It's essentially to hook into the TLS negotiation before handing out a cert to the client, and based on some sni_fun() callback to decide which X.509 cert to give out to the caller and which private key to use server-side.
It seems like Erlang's :ssl server_option allows setting sni_hosts and sni_fun, but these can't be passed down via Bandit, it seems. Would be awesome to be able to terminate multiple https sites under the same Phoenix endpoint.
Christian
Thanks for the kind words and the issue!
It seems like Erlang's :ssl server_option allows setting sni_hosts and sni_fun, but these can't be passed down via Bandit, it seems.
They sure can! Bandit & Thousand Island are intentionally naive to the options you pass down to the transport layer, for this very reason. See #35 for details.
Thanks, aaargh, I didn't search the closed issues. My bad, sorry for the unnecessary work. Good stuff.
No problem! Feel free to reopen this issue if you come against any issues; this is a feature I'd love to see succeed!
Apologies, I have one more question. in #35 they're spinning up the supervisor directly, and can pass down the :ssl options. How would that work with the Bandit.PhoenixAdapter?
Per https://hexdocs.pm/bandit/Bandit.PhoenixAdapter.html#module-endpoint-configuration whatever is inside your :http or :https config stanzas in your application's config/*.exs files will be passed through directly to Bandit as configuration (for which the type is defined here), so you'll want something like:
config :my_app, MyAppWeb.Endpoint,
adapter: Bandit.PhoenixAdapter,
https: [
thousand_island_options: [
transport_options: [
sni_fun: &my_fun/1
]
]
],
...
Superb. ❤️