Skip to content

DockFlare v1.8.5: Enhanced TLS Control with Origin Server Name (SNI) Support

Compare
Choose a tag to compare
@ChrispyBacon-dev ChrispyBacon-dev released this 29 May 13:23
· 59 commits to stable since this release

DockFlare v1.8.5: Enhanced TLS Control with Origin Server Name (SNI) Support

This release introduces a key enhancement for configuring Cloudflare Tunnel ingress rules: support for Origin Server Name (SNI). This provides users with more granular control over TLS connections to their origin services.

✨ New Features

  • Origin Server Name (SNI) Support for Ingress Rules:
    • Users can now specify the originServerName for an ingress rule. This allows DockFlare to instruct Cloudflare to use a specific Server Name Indication (SNI) during the TLS handshake with the origin service. This is particularly useful when the origin service is behind a reverse proxy, hosts multiple sites on one IP, or expects a specific hostname for its TLS certificate.
    • Docker Label: Added support for the cloudflare.tunnel.<index>.originsrvname=<value> (or cloudflare.tunnel.originsrvname=<value> for non-indexed default) label.
      • Example: labels: ["cloudflare.tunnel.0.originsrvname=internal.service.local"]
    • Web UI (Manual Rules): The "Add New Manual Ingress Rule" modal now includes a dedicated "Origin Server Name (SNI for TLS)" input field. This field is dynamically shown only when the selected service type is HTTP or HTTPS, as SNI is primarily relevant for these protocols.

🔧 Improvements & Internal Changes

  • State Management: The internal state (managed_rules) now stores the origin_server_name for each rule configuration.
  • Cloudflare API Interaction: The originRequest object in the Cloudflare tunnel configuration payload is now correctly constructed to include noTLSVerify and originServerName as needed. Comparison logic for detecting changes has also been updated.
  • Docker Label Parsing: Both docker_handler.py (for new containers) and reconciler.py (for existing containers during reconciliation) have been updated to parse and process the new originsrvname label.
  • Web UI:
    • The "Add Manual Rule" backend route (ui_add_manual_rule_route) now processes and stores the origin_server_name from the UI form.
    • (Optional - if you implemented it) The main "Managed Ingress Rules" table can now display the configured SNI for relevant rules.
    • JavaScript in main.js has been enhanced to dynamically show/hide the "Origin Server Name" input field in the manual rule modal based on the selected service type (HTTP/HTTPS).
  • Code Quality: Addressed a minor issue in docker_handler.py by removing a duplicate, simpler definition of the is_valid_service function, ensuring the more robust regex-based validation is used.

📝 Notes

  • The originServerName setting is most effective for http and https service types. While it can be set for other types, Cloudflare may ignore it if a TLS handshake to the origin is not part of its standard proxying behavior for that protocol.
  • Remember to update your Docker image to dockflare:1.8.5 or dockflare:latest to use these new features.