Nginx SNI Upstream Maps with wildcard?

Started by Krischan, August 28, 2021, 04:57:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 28, 2021, 04:57:21 PM
I have been trying to configure SNI Upstream Maps as explained here: https://docs.opnsense.org/manual/how-tos/nginx_streams.html#sni-upstream-maps

And with regular domain names it works great, but to simplify the setup it would be nice to just set something like *.example.com for a mapping.

However when trying this I get an error about this not being possible.

Is this not supported, or did I do something wrong? Thanks for the help!
August 28, 2021, 06:28:45 PM #1 Last Edit: August 28, 2021, 06:31:14 PM by fabian
It was never intended to support that. So I guess that this might be a validation problem only. However I don't really see the advantage, since it would make only sense if you have multiple kubernetes clusters, but they have their own load balancers.
August 29, 2021, 12:57:06 AM #2
Huh, I don't follow at all why this would only make sense for Kubernetes???

I have a rather simple home-lab where I don't want to terminate all the SSL connections on the firewall but rather pass them through to various servers that terminate the SSL connection themselves. That way I don't have the load on the OPNsense firewall that already does the heavy load of routing etc. and internal connections are still encrypted to the end-point.

The only way I found to do that is with SNI, and it works very nicely using the build in Nginx in OPNsense.

But since I have multiple services in various subdomains the list has grown very unwieldy and I also have to manually add a subdomain for every service. If wildcards were supported the list would shrink by at least 3/4 in size and I could easily spin up new subdomains on the servers without having to touch the OPNsense config.

Does that make sense?
August 29, 2021, 06:46:44 AM #3
The reason for my thought is that if you want to forward everything to a single node, you can use a port forwarding as well. So this would make only sense if you have multiple domains that point to different clusters.
August 30, 2021, 03:57:46 AM #4
Yes I want to separate out different domain names to different backend servers/clusters.

Like having domain1.com point to one upstream server/cluster and domain2.com point to another.
Print
Go Up Pages1
User actions