Carry SNI while doing SSL handshaking with upstream

[tokers]

So far we don't enable the SNI extension when communicating with upstream. If upstream server depends on SNI to select proper certificate, then the TLS/SSL handshaking will fail. So we should carry the SNI extension.

Nginx has a directive named proxy_ssl_server_name.

Syntax: proxy_ssl_server_name on | off;
proxy_ssl_server_name off;
http, server, location

Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.

So we can add this directive into apisix/cli/ngx_tpl.lua.

[membphis]

add proxy_ssl_server_name on to apisix/cli/ngx_tpl.lua, should be fine.

welcome anyone to submit PR, fix this issue

[whitehatboxer]

Feel cool to fix this issue since I am not familiar with apisix so I think it will take some time to learn it first.

[tokers]

@unbeatablekb Assigned to you and feel free to ask any questions here.

[membphis]

Feel cool to fix this issue since I am not familiar with apisix so I think it will take some time to learn it first.

this is very cool ^_^

[whitehatboxer]

I have open a pr about this issue (as we can see above). Considered this functionality was guaranteed by Nginx and we just need to test the functionality of the generation of template which were already in testcases, I didn't add testcase of it.

[tokers]

@unbeatablekb No, we should add cases to verify it.

[whitehatboxer]

I agree with it. But I think it is hard to verify the changes because we can't verify things happened in tls.

[spacewander]

@tokers @unbeatablekb
Use proxy_ssl_server_name on is not enough. The SNI sent to the backend is always apisix_backend.
We need to use proxy_ssl_name $host together.

[tokers]

@spacewander OK, it's required.