Add disable SNI host validation field

Author: ciarams87

apis/v1alpha2/nginxproxy_types.go

@@ -73,6 +73,15 @@ type NginxProxySpec struct {
 	//
 	// +optional
 	DisableHTTP2 *bool `json:"disableHTTP2,omitempty"`
+	// DisableSNIHostValidation disables the validation that ensures the SNI hostname
+	// matches the Host header in HTTPS requests. When disabled, HTTPS connections can
+	// be reused for requests to different hostnames covered by the same certificate.
+	// This resolves HTTP/2 connection coalescing issues with wildcard certificates but
+	// introduces security risks as described in Gateway API GEP-3567.
+	// If not specified, defaults to false (validation enabled).
+	//
+	// +optional
+	DisableSNIHostValidation *bool `json:"disableSNIHostValidation,omitempty"`
 	// Kubernetes contains the configuration for the NGINX Deployment and Service Kubernetes objects.
 	//
 	// +optional

apis/v1alpha2/zz_generated.deepcopy.go

@@ -106,6 +106,11 @@
               "required": [],
               "type": "boolean"
             },
+            "disableSNIHostValidation": {
+              "description": "DisableSNIHostValidation disables the validation that ensures the SNI hostname matches the Host header in HTTPS requests. This resolves HTTP/2 connection coalescing issues with wildcard certificates but introduces security risks as described in Gateway API GEP-3567.",
+              "required": [],
+              "type": "boolean"
+            },
             "ipFamily": {
               "description": "IPFamily specifies the IP family to be used by the NGINX.",
               "enum": [

charts/nginx-gateway-fabric/values.schema.json

@@ -251,6 +251,9 @@ nginx:
   #   disableHTTP2:
   #     description: DisableHTTP2 defines if http2 should be disabled for all servers.
   #     type: boolean
+  #   disableSNIHostValidation:
+  #     description: DisableSNIHostValidation disables the validation that ensures the SNI hostname matches the Host header in HTTPS requests. This resolves HTTP/2 connection coalescing issues with wildcard certificates but introduces security risks as described in Gateway API GEP-3567.
+  #     type: boolean
   #   ipFamily:
   #     description: IPFamily specifies the IP family to be used by the NGINX.
   #     type: string

charts/nginx-gateway-fabric/values.yaml

@@ -56,6 +56,15 @@ spec:
                   DisableHTTP2 defines if http2 should be disabled for all servers.
                   If not specified, or set to false, http2 will be enabled for all servers.
                 type: boolean
+              disableSNIHostValidation:
+                description: |-
+                  DisableSNIHostValidation disables the validation that ensures the SNI hostname
+                  matches the Host header in HTTPS requests. When disabled, HTTPS connections can
+                  be reused for requests to different hostnames covered by the same certificate.
+                  This resolves HTTP/2 connection coalescing issues with wildcard certificates but
+                  introduces security risks as described in Gateway API GEP-3567.
+                  If not specified, defaults to false (validation enabled).
+                type: boolean
               ipFamily:
                 default: dual
                 description: |-

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -641,6 +641,15 @@ spec:
                   DisableHTTP2 defines if http2 should be disabled for all servers.
                   If not specified, or set to false, http2 will be enabled for all servers.
                 type: boolean
+              disableSNIHostValidation:
+                description: |-
+                  DisableSNIHostValidation disables the validation that ensures the SNI hostname
+                  matches the Host header in HTTPS requests. When disabled, HTTPS connections can
+                  be reused for requests to different hostnames covered by the same certificate.
+                  This resolves HTTP/2 connection coalescing issues with wildcard certificates but
+                  introduces security risks as described in Gateway API GEP-3567.
+                  If not specified, defaults to false (validation enabled).
+                type: boolean
               ipFamily:
                 default: dual
                 description: |-

deploy/crds.yaml

@@ -127,8 +127,9 @@ type ProxySSLVerify struct {
 
 // ServerConfig holds configuration for an HTTP server and IP family to be used by NGINX.
 type ServerConfig struct {
-	Servers         []Server
-	RewriteClientIP shared.RewriteClientIPSettings
-	IPFamily        shared.IPFamily
-	Plus            bool
+	Servers                  []Server
+	RewriteClientIP          shared.RewriteClientIPSettings
+	IPFamily                 shared.IPFamily
+	Plus                     bool
+	DisableSNIHostValidation bool
 }

internal/controller/nginx/config/http/config.go

@@ -61,10 +61,11 @@ func (g GeneratorImpl) executeServers(
 	servers, httpMatchPairs := createServers(conf, generator, keepAliveCheck)
 
 	serverConfig := http.ServerConfig{
-		Servers:         servers,
-		IPFamily:        getIPFamily(conf.BaseHTTPConfig),
-		Plus:            g.plus,
-		RewriteClientIP: getRewriteClientIPSettings(conf.BaseHTTPConfig.RewriteClientIPSettings),
+		Servers:                  servers,
+		IPFamily:                 getIPFamily(conf.BaseHTTPConfig),
+		Plus:                     g.plus,
+		RewriteClientIP:          getRewriteClientIPSettings(conf.BaseHTTPConfig.RewriteClientIPSettings),
+		DisableSNIHostValidation: conf.BaseHTTPConfig.DisableSNIHostValidation,
 	}
 
 	serverResult := executeResult{

internal/controller/nginx/config/servers.go

@@ -55,9 +55,11 @@ server {
     ssl_certificate {{ $s.SSL.Certificate }};
     ssl_certificate_key {{ $s.SSL.CertificateKey }};
 
+          {{- if not $.DisableSNIHostValidation }}
     if ($ssl_server_name != $host) {
         return 421;
     }
+          {{- end }}
         {{- else }}
           {{- if $.IPFamily.IPv4 }}
     listen {{ $s.Listen }}{{ $.RewriteClientIP.ProxyProtocol }};

internal/controller/nginx/config/servers_template.go

@@ -4024,3 +4024,41 @@ func TestGetIPFamily(t *testing.T) {
 		})
 	}
 }
+
+func TestExecuteServers_DisableSNIHostValidation(t *testing.T) {
+	t.Parallel()
+	g := NewWithT(t)
+
+	sslServer := dataplane.VirtualServer{
+		Hostname: "example.com",
+		SSL: &dataplane.SSL{
+			KeyPairID: "test-keypair",
+		},
+		Port: 8443,
+	}
+	gen := GeneratorImpl{}
+
+	// Case 1: DisableSNIHostValidation = false (default)
+	confWithValidation := dataplane.Configuration{
+		SSLServers: []dataplane.VirtualServer{sslServer},
+		BaseHTTPConfig: dataplane.BaseHTTPConfig{
+			DisableSNIHostValidation: false,
+		},
+	}
+	results := gen.executeServers(confWithValidation, &policiesfakes.FakeGenerator{}, alwaysFalseKeepAliveChecker)
+	serverConf := string(results[0].data)
+	g.Expect(serverConf).To(ContainSubstring("if ($ssl_server_name != $host)"),
+		"Expected SNI host validation block to be present when DisableSNIHostValidation is false")
+
+	// Case 2: DisableSNIHostValidation = true
+	confWithoutValidation := dataplane.Configuration{
+		SSLServers: []dataplane.VirtualServer{sslServer},
+		BaseHTTPConfig: dataplane.BaseHTTPConfig{
+			DisableSNIHostValidation: true,
+		},
+	}
+	results = gen.executeServers(confWithoutValidation, &policiesfakes.FakeGenerator{}, alwaysFalseKeepAliveChecker)
+	serverConf = string(results[0].data)
+	g.Expect(serverConf).NotTo(ContainSubstring("if ($ssl_server_name != $host)"),
+		"Expected SNI host validation block to be absent when DisableSNIHostValidation is true")
+}