commit 1cdea97b6c74ec86e202431a208b5c99343f7273
from: Omar Polo <op@omarpolo.com>
date: Sun Jan 30 10:14:44 2022 UTC

allow using a custom hostname for SNI during proxying

add a `sni' option for the `proxy' block: the given name is used instead
of the one extracted by the `relay-to' rule.

commit - 1b626eae837ad61f2cd56fbd310ab9397b522c3a
commit + 1cdea97b6c74ec86e202431a208b5c99343f7273
blob - b9f997020363f4ffcab3c88d14cba9cee46477e8
blob + 09293f799a4b046ae685c292c58fd9a13de6d743
--- gmid.1
+++ gmid.1
@@ -472,6 +472,12 @@ block.
 Allow the proxying only from clients that provide a certificate
 signed by the CA certificate in
 .Ar file .
+.It Ic sni Ar hostname
+Use the given
+.Ar hostname
+instead of the one extracted from the
+.Ic relay-to
+rule for the TLS handshake with the proxied gemini server.
 .It Ic use-tls Ar bool
 Specify whether to use TLS when connecting to the proxied host.
 Enabled by default.
blob - 2abdce04ab1750b7fbdebaafa01606ff9063ac32
blob + b2aa170ec80fee36d5c742ddad81606e572ffb70
--- gmid.c
+++ gmid.c
@@ -338,6 +338,7 @@ free_config(void)
 			free(p->match_proto);
 			free(p->match_host);
 			free(p->host);
+			free(p->sni);
 			tls_unload_file(p->cert, p->certlen);
 			tls_unload_file(p->key, p->keylen);
 			free(p);
blob - 1dde21a616c047ea0605f1e9303d0df9417be29d
blob + a6741bf4fd67f104871baa9f9210d8b9d2eee535
--- gmid.h
+++ gmid.h
@@ -105,6 +105,7 @@ struct proxy {
 
 	char		*host;
 	const char	*port;
+	char		*sni;
 	int		 notls;
 	uint32_t	 protocols;
 	int		 noverifyname;
blob - 57cf3f5c72c7f07008879881d2a19bf18cb0cbb0
blob + d24005d6f7700dd639ac3a06de950dc67d8bf26f
--- parse.y
+++ parse.y
@@ -127,7 +127,7 @@ typedef struct {
 %token	OCSP OFF ON
 %token	PARAM PORT PREFORK PROTO PROTOCOLS PROXY
 %token	RELAY_TO REQUIRE RETURN ROOT
-%token	SERVER SPAWN STRIP
+%token	SERVER SNI SPAWN STRIP
 %token	TCP TOEXT TYPE
 %token	USE_TLS USER
 %token	VERIFYNAME
@@ -357,6 +357,11 @@ proxy_opt	: CERT string {
 			if ((proxy->reqca = load_ca($4)) == NULL)
 				yyerror("couldn't load ca cert: %s", $4);
 			free($4);
+		}
+		| SNI string {
+			only_once(proxy->sni, "proxy sni");
+			free(proxy->sni);
+			proxy->sni = $2;
 		}
 		| USE_TLS bool {
 			proxy->notls = !$2;
@@ -497,6 +502,7 @@ static struct keyword {
 	{"return", RETURN},
 	{"root", ROOT},
 	{"server", SERVER},
+	{"sni", SNI},
 	{"spawn", SPAWN},
 	{"strip", STRIP},
 	{"tcp", TCP},
blob - 97d32578cf96864ca118af922cfd31755de4ed64
blob + 1a30531dd3cd6492113b4aca40aede35641985a2
--- proxy.c
+++ proxy.c
@@ -297,6 +297,7 @@ proxy_setup_tls(struct client *c)
 {
 	struct proxy *p = c->proxy;
 	struct tls_config *conf = NULL;
+	const char *hn;
 
 	if ((conf = tls_config_new()) == NULL)
 		return -1;
@@ -325,7 +326,9 @@ proxy_setup_tls(struct client *c)
 	if (tls_configure(c->proxyctx, conf) == -1)
 		goto err;
 
-	if (tls_connect_socket(c->proxyctx, c->pfd, p->host) == -1)
+	if ((hn = p->sni) == NULL)
+		hn = p->host;
+	if (tls_connect_socket(c->proxyctx, c->pfd, hn) == -1)
 		goto err;
 
 	c->proxyevset = 1;