From 93ec2b3b2798ed3eb9ba10d03b3c40450e5d6d0d Mon Sep 17 00:00:00 2001 From: Jakub Dyszkiewicz Date: Tue, 24 Aug 2021 16:27:07 +0200 Subject: [PATCH] docs(policies) external service SNI (#494) Signed-off-by: Jakub Dyszkiewicz Signed-off-by: Jennifer Rondeau --- docs/docs/1.2.3/policies/external-services.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/docs/1.2.3/policies/external-services.md b/docs/docs/1.2.3/policies/external-services.md index ce9a6200a..e7867de6e 100644 --- a/docs/docs/1.2.3/policies/external-services.md +++ b/docs/docs/1.2.3/policies/external-services.md @@ -26,6 +26,7 @@ spec: tls: # optional enabled: true allowRenegotiation: false + sni: httpbin.org # optional caCert: # one of inline, inlineString, secret inline: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t... # Base64 encoded cert clientCert: # one of inline, inlineString, secret @@ -51,6 +52,7 @@ networking: tls: enabled: true allowRenegotiation: false + sni: httpbin.org # optional caCert: # one of inline, inlineString, secret inline: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t... # Base64 encoded cert clientCert: # one of inline, inlineString, secret @@ -106,6 +108,7 @@ The first approach has an advantage that we can apply HTTP based policies, becau * `enabled` turns on and off the TLS origination. * `allowRenegotiation` turns on and off TLS renegotiation. It's not recommended enabling this for [security reasons](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto). However, some servers require this setting to fetch client certificate after TLS handshake. TLS renegotiation is not available in TLS v1.3. + * `sni` overrides the default Server Name Indication. Set this value to empty string to disable SNI. * `caCert` the CA certificate for the external service TLS verification * `clientCert` the client certificate for mTLS * `clientKey` the client key for mTLS