Skip to content

Conversation

Revolyssup
Copy link
Contributor

@Revolyssup Revolyssup commented Oct 13, 2025

The current APISIX SSL SNI only allows exact domain name matching "abc.test.com" and partial wildcard ".test.com". It does not support the complete wildcard value of "" for SNI, which does not meet the core consistency test requirements of HTTPSListener in the Gateway API. This situation needs to be supported.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Oct 13, 2025
@Revolyssup Revolyssup marked this pull request as draft October 13, 2025 20:02
@Revolyssup Revolyssup marked this pull request as ready for review October 14, 2025 06:27
Comment on lines 58 to 61
if s ~= "*" then
j = j + 1
sni[j] = s:reverse()
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image

It is reasonable not to perform additional processing, as it does not cause any issues.
This is not necessary, as ("*"):reverse() functions correctly. Even if this extra check were added, it would only apply in extremely rare cases and would require explanation for maintainability. I do not believe it differs from normal sni case.

Comment on lines 64 to 66
if ssl.value.sni ~= "*" then
sni = ssl.value.sni:reverse()
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

handler = function (api_ctx)
if not api_ctx then
return
if sni and (type(sni) == "table" and #sni > 0 or type(sni) == "string") then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to cover all existing scenarios. Is this necessary?

local sni_rev = sni:reverse()
local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx)

-- if no SSL matched, try to find a wildcard SSL
Copy link
Contributor

@bzp2010 bzp2010 Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't radix trees perform wildcard matching directly? Why do wildcard matches work fine in our HTTP routes (/test/*) and SSL SNI (*.example.com)?
In my view, there's no fundamental difference between *.example.com and *. If the former works correctly after reverse sort, the latter should also function out of the box. We shouldn't need to add any special logic for this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refer #12668 (comment)

Copy link
Contributor

@bzp2010 bzp2010 Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw your reply at #12668 (comment), but it doesn't resolve this concern. We should investigate the root cause.

for _, s in ipairs(ssl.value.snis) do
j = j + 1
sni[j] = s:reverse()
if s ~= "*" then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to me, I think we can keep old code, it seems work fine too? all right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main point of contention lies in #12668 (comment), which determines whether we must handle the * case separately.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay i was wrong. Due to an initial mistake in my code I got that failure and falsely assumed it was because radixtree couldn't handle it. I have modified the PR. Apologies for mistake

@Revolyssup Revolyssup requested review from bzp2010, membphis and nic-6443 and removed request for nic-6443 October 14, 2025 15:33
Copy link
Member

@membphis membphis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants