reverse proxy - support SNI using settings

CHANGELOG.md

@@ -5,6 +5,7 @@
 - [BUGFIX] Fix compatibility issues with mysql 8.4+ version and the `backup` plugin by adding the `mariadb-connector-c` dependency to the scheduler Dockerfile (on alpine)
 - [BUGFIX] Fix potential issues with multiple settings in helpers.load_variables when multiple settings have the same suffix (the issue is only present in future external plugins)
 - [BUGFIX] Fix issues with kubernetes integration when were setting a global multisite setting it was not applied to the services
+- [FEATURE] Add REVERSE_PROXY_SSL_SNI and REVERSE_PROXY_SSL_SNI_NAME to support SNI-based upstreams
 - [UI] Update web UI setup wizard to handle when a reverse proxy already exists but no admin user is configured
 - [UI] Fix issues with multiple settings on the global_config not being able to be deleted in specific cases
 - [AUTOCONF] Fix issues with globally set settings overridden by default values not being saved correctly in database

docs/quickstart-guide.md

@@ -1388,7 +1388,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
     - Set up a PHP-FPM container for your application and mount the folder containing PHP files
     - Use the specific settings `REMOTE_PHP` and `REMOTE_PHP_PATH` as environment variables when starting BunkerWeb
 
-    If you enable the [multisite mode](concepts.md#integration), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
+    If you enable the [multisite mode](concepts.md#multisite-mode), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
 
     ```
     www
@@ -1511,7 +1511,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
     - Set up a PHP-FPM containers for your applications and mount the folder containing PHP apps
     - Use the specific settings `REMOTE_PHP` and `REMOTE_PHP_PATH` as labels for your PHP-FPM container
 
-    Since the Docker autoconf implies using the [multisite mode](concepts.md#integration), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
+    Since the Docker autoconf implies using the [multisite mode](concepts.md#multisite-mode), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
 
     ```
     www
@@ -1667,7 +1667,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
     - Set up a PHP-FPM containers for your applications and mount the folder containing PHP apps
     - Use the specific settings `REMOTE_PHP` and `REMOTE_PHP_PATH` as labels for your PHP-FPM container
 
-    Since the Swarm integration implies using the [multisite mode](concepts.md#integration), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
+    Since the Swarm integration implies using the [multisite mode](concepts.md#multisite-mode), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
 
     ```
     www
@@ -1797,7 +1797,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma
     systemctl restart php-fpm
     ```
 
-    If you enable the [multisite mode](concepts.md#integration), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
+    If you enable the [multisite mode](concepts.md#multisite-mode), you will need to create separate directories for each of your applications. Each subdirectory should be named using the first value of `SERVER_NAME`. Here is a dummy example :
 
     ```
     /var/www/html

docs/settings.md

@@ -595,6 +595,8 @@ Manage reverse proxy configurations.
 |`USE_REVERSE_PROXY`                    |`no`                              |multisite|no      |Activate reverse proxy mode.                                                                                                 |
 |`REVERSE_PROXY_INTERCEPT_ERRORS`       |`yes`                             |multisite|no      |Intercept and rewrite errors.                                                                                                |
 |`REVERSE_PROXY_CUSTOM_HOST`            |                                  |multisite|no      |Override Host header sent to upstream server.                                                                                |
+|`REVERSE_PROXY_SSL_SNI`                |`no`                              |multisite|no      |Enable or disable sending SNI to upstream server.                                                                            |
+|`REVERSE_PROXY_SSL_SNI_NAME`           |                                  |multisite|no      |Sets the SNI host to send to upstream server.                                                                                |
 |`REVERSE_PROXY_HOST`                   |                                  |multisite|yes     |Full URL of the proxied resource (proxy_pass).                                                                               |
 |`REVERSE_PROXY_URL`                    |`/`                               |multisite|yes     |Location URL that will be proxied.                                                                                           |
 |`REVERSE_PROXY_WS`                     |`no`                              |multisite|yes     |Enable websocket on the proxied resource.                                                                                    |
@@ -691,3 +693,4 @@ Allow access based on internal and external IP/network/rDNS/ASN whitelists.
 |`WHITELIST_ASN_URLS`       |                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing ASN to whitelist. Also supports file:// URLs and and auth basic using http://user:pass@url scheme.                 |
 |`WHITELIST_USER_AGENT_URLS`|                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing good User-Agent to whitelist. Also supports file:// URLs and and auth basic using http://user:pass@url scheme.     |
 |`WHITELIST_URI_URLS`       |                                                                                                                                                                            |global   |no      |List of URLs, separated with spaces, containing bad URI to whitelist. Also supports file:// URLs and and auth basic using http://user:pass@url scheme.             |
+

docs/troubleshooting.md

@@ -243,7 +243,7 @@ You can manually unban an IP which can be useful when doing some tests but it ne
 
 ## Whitelisting
 
-If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](security-tuning.md#blacklisting-and-whitelisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
+If you have bots that need to access your website, the recommended way to avoid any false positive is to whitelist them using the [whitelisting feature](security-tuning.md#blacklisting-whitelisting-and-greylisting). We don't recommend using the `WHITELIST_URI*` or `WHITELIST_USER_AGENT*` settings unless they are set to secret and unpredictable values. Common use cases are :
 
 - Healthcheck / status bot
 - Callback like IPN or webhook

src/common/core/reverseproxy/confs/server-http/reverse-proxy.conf

@@ -1,5 +1,14 @@
 {% if USE_REVERSE_PROXY == "yes" +%}
 
+	{% if REVERSE_PROXY_SSL_SNI == "yes" +%}
+proxy_ssl_server_name on;
+		{% if REVERSE_PROXY_SSL_SNI_NAME != "" +%}
+proxy_ssl_name {{ REVERSE_PROXY_SSL_SNI_NAME }};
+		{% endif +%}
+	{% else +%}
+proxy_ssl_server_name off;
+	{% endif +%}
+
 	{% if REVERSE_PROXY_INTERCEPT_ERRORS == "yes" +%}
 proxy_intercept_errors on;
 	{% else +%}

src/common/core/reverseproxy/confs/server-stream/reverse-proxy.conf

@@ -1,5 +1,14 @@
 {% if USE_REVERSE_PROXY == "yes" and REVERSE_PROXY_HOST != "" +%}
 
+	{% if REVERSE_PROXY_SSL_SNI == "yes" +%}
+proxy_ssl_server_name on;
+		{% if REVERSE_PROXY_SSL_SNI_NAME != "" +%}
+proxy_ssl_name {{ REVERSE_PROXY_SSL_SNI_NAME }};
+		{% endif +%}
+	{% else +%}
+proxy_ssl_server_name off;
+	{% endif +%}
+
 # TODO : more settings specific to stream
 {% if REVERSE_PROXY_STREAM_PROXY_PROTOCOL == "yes" +%}
 proxy_protocol on;

src/common/core/reverseproxy/plugin.json

@@ -32,6 +32,24 @@
       "regex": "^.*$",
       "type": "text"
     },
+    "REVERSE_PROXY_SSL_SNI": {
+      "context": "multisite",
+      "default": "no",
+      "help": "Enable or disable sending SNI to upstream server.",
+      "id": "reverse-proxy-ssl-server-name",
+      "label": "SSL SNI",
+      "regex": "^(yes|no)$",
+      "type": "check"
+    },
+    "REVERSE_PROXY_SSL_SNI_NAME": {
+      "context": "multisite",
+      "default": "",
+      "help": "Sets the SNI host to send to upstream server.",
+      "id": "reverse-proxy-ssl-sni-name",
+      "label": "SSL SNI name",
+      "regex": "^(yes|no)$",
+      "type": "check"
+    },
     "REVERSE_PROXY_HOST": {
       "context": "multisite",
       "default": "",