DockFlare v1.8.5: Enhanced TLS Control with Origin Server Name (SNI) Support
·
59 commits
to stable
since this release
DockFlare v1.8.5: Enhanced TLS Control with Origin Server Name (SNI) Support
This release introduces a key enhancement for configuring Cloudflare Tunnel ingress rules: support for Origin Server Name (SNI). This provides users with more granular control over TLS connections to their origin services.
✨ New Features
- Origin Server Name (SNI) Support for Ingress Rules:
- Users can now specify the
originServerName
for an ingress rule. This allows DockFlare to instruct Cloudflare to use a specific Server Name Indication (SNI) during the TLS handshake with the origin service. This is particularly useful when the origin service is behind a reverse proxy, hosts multiple sites on one IP, or expects a specific hostname for its TLS certificate. - Docker Label: Added support for the
cloudflare.tunnel.<index>.originsrvname=<value>
(orcloudflare.tunnel.originsrvname=<value>
for non-indexed default) label.- Example:
labels: ["cloudflare.tunnel.0.originsrvname=internal.service.local"]
- Example:
- Web UI (Manual Rules): The "Add New Manual Ingress Rule" modal now includes a dedicated "Origin Server Name (SNI for TLS)" input field. This field is dynamically shown only when the selected service type is HTTP or HTTPS, as SNI is primarily relevant for these protocols.
- Users can now specify the
🔧 Improvements & Internal Changes
- State Management: The internal state (
managed_rules
) now stores theorigin_server_name
for each rule configuration. - Cloudflare API Interaction: The
originRequest
object in the Cloudflare tunnel configuration payload is now correctly constructed to includenoTLSVerify
andoriginServerName
as needed. Comparison logic for detecting changes has also been updated. - Docker Label Parsing: Both
docker_handler.py
(for new containers) andreconciler.py
(for existing containers during reconciliation) have been updated to parse and process the neworiginsrvname
label. - Web UI:
- The "Add Manual Rule" backend route (
ui_add_manual_rule_route
) now processes and stores theorigin_server_name
from the UI form. - (Optional - if you implemented it) The main "Managed Ingress Rules" table can now display the configured SNI for relevant rules.
- JavaScript in
main.js
has been enhanced to dynamically show/hide the "Origin Server Name" input field in the manual rule modal based on the selected service type (HTTP/HTTPS).
- The "Add Manual Rule" backend route (
- Code Quality: Addressed a minor issue in
docker_handler.py
by removing a duplicate, simpler definition of theis_valid_service
function, ensuring the more robust regex-based validation is used.
📝 Notes
- The
originServerName
setting is most effective forhttp
andhttps
service types. While it can be set for other types, Cloudflare may ignore it if a TLS handshake to the origin is not part of its standard proxying behavior for that protocol. - Remember to update your Docker image to
dockflare:1.8.5
ordockflare:latest
to use these new features.