From f038211215c0985b0eafc3d1853a631f71ee3eba Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sat, 6 Jan 2018 11:52:24 +0000
Subject: [PATCH] Add option to sso-proxy to set SSL server_name explicitly

---
 proxy/proxy.go      | 8 ++++++++
 proxy/proxy_test.go | 3 +--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/proxy/proxy.go b/proxy/proxy.go
index fd72c2b..ec8c2b4 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -20,6 +20,7 @@ import (
 type Backend struct {
 	Host            string                      `yaml:"host"`
 	Upstream        []string                    `yaml:"upstream"`
+	ServerName      string                      `yaml:"tls_server_name"`
 	ClientTLSConfig *clientutil.TLSClientConfig `yaml:"client_tls"`
 
 	AllowedGroups []string `yaml:"allowed_groups"`
@@ -45,6 +46,13 @@ func (b *Backend) newHandler(ssow *httpsso.SSOWrapper) (http.Handler, error) {
 		if err != nil {
 			return nil, err
 		}
+
+		// By setting the ServerName on the tls.Config, we
+		// hope to decouple TLS certificate verification from
+		// the details of the HTTP Host header included in the
+		// request, so that the transport layer will work
+		// regardless of the HTTP request details.
+		tlsConfig.ServerName = b.ServerName
 	}
 	proxy.Transport = clientutil.NewTransport(b.Upstream, tlsConfig, nil)
 
diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go
index 0c45777..1fedce4 100644
--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
@@ -1,7 +1,6 @@
 package proxy
 
 import (
-	"crypto/rand"
 	"crypto/tls"
 	"io"
 	"io/ioutil"
@@ -32,7 +31,7 @@ func TestProxy(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpdir)
 
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	pub, priv, err := ed25519.GenerateKey(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-- 
GitLab