On this page

Multiple hosts on one listener (SNI)

Set up an HTTPS/ TLS listener on the gateway that serves multiple hosts.

Each host comes with its own TLS certificates that the gateway uses to authenticate and authorize client requests.

Serving multiple hosts on a single listener is also referred to as Server Name Indication (SNI) routing. SNI is an extension to the TLS protocol and allows clients to indicate which hostname they want to connect to at the start of the TLS handshake. After the HTTPS/TLS traffic is accepted at the gateway, the TLS connection is terminated, and the unencrypted HTTP/TCP request is forwarded to the destination.

Figure: SNI listener setup

Before you begin

info

This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.

Set up SNI routing for multiple domains

The following steps show how you can set up a single HTTPS listener on your ingress gateway that serves multiple hosts. The steps in this guide show how to set up SNI routing for the httpbin.example.com and bookinfo.example.com domains.

info

When you apply the Gloo custom resources in this guide to your cluster, Gloo Mesh Gateway automatically checks the configuration against validation rules and value constraints. You can also run a pre-admission validation check by using the meshctl x validate resources command. For more information, see the resource validation overview and the CLI command reference.

Create a root certificate and private key to sign the certificates for your services.

  mkdir example_certs1
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example_certs1/example.com.key -out example_certs1/example.com.crt

Generate a TLS certificate and key for the httpbin.example.com domain.

  openssl req -out example_certs1/httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 0 -in example_certs1/httpbin.example.com.csr -out example_certs1/httpbin.example.com.crt

Generate a TLS certificate and key for the bookinfo.example.com domain.

  openssl req -out example_certs1/bookinfo.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/bookinfo.example.com.key -subj "/CN=bookinfo.example.com/O=bookinfo organization"
openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 1 -in example_certs1/bookinfo.example.com.csr -out example_certs1/bookinfo.example.com.crt

Generate a corresponding client certificate and private key that you later use to send requests to your gateway for both of your domains.

  openssl req -out example_certs1/client.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/client.example.com.key -subj "/CN=client.example.com/O=client organization"
openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 1 -in example_certs1/client.example.com.csr -out example_certs1/client.example.com.crt

Verify that you have the required certificates and keys.

  ls example_cert*

Example output:

  bookinfo.example.com.crt bookinfo.example.com.key client.example.com.csr   example.com.crt          httpbin.example.com.crt  httpbin.example.com.key
bookinfo.example.com.csr client.example.com.crt   client.example.com.key   example.com.key          httpbin.example.com.csr

Store the credentials for the httpbin.example.com domain in a Kubernetes secret.

  kubectl create -n gloo-mesh-gateways secret tls httpbin-credential \
  --key=example_certs1/httpbin.example.com.key \
  --cert=example_certs1/httpbin.example.com.crt

Store the credentials for the bookinfo.example.com domain in a Kubernetes secret.

  kubectl create -n gloo-mesh-gateways secret tls bookinfo-credential \
  --key=example_certs1/bookinfo.example.com.key \
  --cert=example_certs1/bookinfo.example.com.crt

Create a virtual gateway and configure HTTPS listeners for both domains on the same port. Each HTTPS listener uses the domain-specific TLS credentials from the secret that you created earlier.

  kubectl apply -f - <<EOF
apiVersion: networking.gloo.solo.io/v2
kind: VirtualGateway
metadata:
  name: mtls-vgateway
  namespace: gloo-mesh-gateways
spec:
  listeners:
  - port:
      number: 443
    http: {}
    tls:
      mode: SIMPLE
      secretName: httpbin-credential
    allowedRouteTables:
    - host: httpbin.example.com
  - port:
      number: 443
    http: {}
    tls:
      mode: SIMPLE
      secretName: bookinfo-credential
    allowedRouteTables:
    - host: bookinfo.example.com
  workloads:
  - selector:
      labels:
        istio: ingressgateway
EOF

Create a route table for the httpbin.example.com domain that routes incoming traffic to the httpbin app in your cluster.

  kubectl apply -f - <<EOF
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: httpbin
  namespace: gloo-mesh-gateways
spec:
  virtualGateways:
  - name: mtls-vgateway
    namespace: gloo-mesh-gateways
  hosts:
  - 'httpbin.example.com'
  http:
  - matchers:
    - uri:
        prefix: /
    forwardTo:
      destinations:
      - ref:
          name: httpbin
          namespace: httpbin
          cluster: $CLUSTER_NAME
        port:
          number: 8000
EOF

Create a route table for the bookinfo.example.com domain that routes incoming traffic to the productpage app in your cluster.

  kubectl apply -f - <<EOF
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: bookinfo
  namespace: gloo-mesh-gateways
spec:
  virtualGateways:
  - name: mtls-vgateway
    namespace: gloo-mesh-gateways
  hosts:
  - 'bookinfo.example.com'
  http:
  - matchers:
    - uri:
        prefix: /
    forwardTo:
      destinations:
      - ref:
          name: productpage
          namespace: bookinfo
          cluster: $CLUSTER_NAME
        port:
          number: 9080
EOF

Send a request to the httpbin.example.com domain with the client certificate that you created earlier. The gateway authorizes the request by using the TLS credentials that you stored in the TLS secret.

  curl -vik -HHost:httpbin.example.com --resolve "httpbin.example.com:443:${INGRESS_GW_IP}" \
--cacert example_certs1/example.com.crt "https://httpbin.example.com:443/status/200"

Example output:

  ...
* Added httpbin.example.com:443:34.145.173.107 to DNS cache
* Hostname httpbin.example.com was found in DNS cache
*   Trying 34.145.173.107:443...
* Connected to httpbin.example.com (34.145.173.107) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: example_certs1/example.com.crt
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=httpbin.example.com; O=httpbin organization
*  start date: Dec 29 17:10:18 2022 GMT
*  expire date: Dec 29 17:10:18 2023 GMT
*  issuer: O=example Inc.; CN=example.com
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x150012400)
> GET /status/200 HTTP/2
> Host:httpbin.example.com
> user-agent: curl/7.77.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200 
HTTP/2 200 
...

Send a request to the bookinfo.example.com domain with the client certificate that you created earlier. The gateway authorizes the request by using the TLS credentials that you stored in the TLS secret.

  curl -vik -HHost:bookinfo.example.com --resolve "bookinfo.example.com:443:${INGRESS_GW_IP}" \
  --cacert example_certs1/example.com.crt "https://bookinfo.example.com:443/productpage"

Example output:

  ...
* Added bookinfo.example.com:443:34.145.173.107 to DNS cache
* Hostname bookinfo.example.com was found in DNS cache
*   Trying 34.145.173.107:443...
* Connected to bookinfo.example.com (34.145.173.107) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: example_certs1/example.com.crt
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=bookinfo.example.com; O=bookinfo organization
*  start date: Dec 29 17:10:45 2022 GMT
*  expire date: Dec 29 17:10:45 2023 GMT
*  issuer: O=example Inc.; CN=example.com
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x145017400)
> GET /productpage HTTP/2
> Host:bookinfo.example.com
> user-agent: curl/7.77.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
< HTTP/2 200 
HTTP/2 200 
...

Next steps

Now that you have the virtual gateway configured, you can add other Gloo Mesh Gateway resources to control traffic that is routed through the gateway.

Process and route traffic through the virtual gateway with route tables, such as by using header matching, redirects, or direct responses.
Explore traffic management, security, and resiliency policies that you can apply to your routes and upstream services. For example, you might apply the proxy protocol policy to your API Gateway so that it preserves connection information such as the originating client IP address.

Cleanup

You can optionally remove the resources that you set up as part of this guide.

  rm -r example_certs1
kubectl delete secret httpbin-credential -n gloo-mesh-gateways
kubectl delete secret bookinfo-credential -n gloo-mesh-gateways
kubectl delete virtualgateway mtls-vgateway -n gloo-mesh-gateways
kubectl delete routetable httpbin -n gloo-mesh-gateways
kubectl delete routetable bookinfo -n gloo-mesh-gateways

Multiple hosts on one listener (SNI)

Before you begin link

Set up SNI routing for multiple domains link

Next steps link

Cleanup link

Before you begin

Set up SNI routing for multiple domains

Next steps

Cleanup