Skip to main content

validate_sni_pattern

Function validate_sni_pattern 

Source
pub fn validate_sni_pattern(sni: &str) -> Result<String, ConfigError>
Expand description

Validates and normalizes a TCP frontend’s SNI pattern (sozu-proxy/sozu#1279): either an exact hostname or a single leading *. wildcard label. Rejects an embedded * anywhere else (so *.*.example.com and foo.*.com are both invalid), a bare *, any empty label (leading/trailing/consecutive dots), and any non-ASCII character (ConfigError::NonAsciiSniPattern) — on-wire SNI is always an ASCII A-label (RFC 6066 §3 / IDNA), so a Unicode U-label would load fine but never match at runtime, a silent routing failure. Full IDNA/ punycode transformation at config-load is intentionally out of scope (no idna dependency in this crate); operators write the A-label form directly, consistent with what the HTTP router produces via idna::domain_to_ascii in lib/src/router/mod.rs. ASCII-lowercases the accepted pattern for case-insensitive comparison.

Public: this is the SINGLE SNI shape validator shared by TOML config load (this module) and the worker’s request boundary (TcpListener::validate_new_tcp_front in lib/src/tcp.rs), which an AddTcpFrontend sent directly over the command socket, or a LoadState replay, can reach without ever going through config-load — both call sites must reject the identical set of malformed shapes.