From a249aec2500215bfcc26dc19389ee99ca3d57d83 Mon Sep 17 00:00:00 2001
From: Nanook <nanookclaw@users.noreply.github.com>
Date: Sun, 12 Apr 2026 07:39:34 +0000
Subject: [PATCH 1/2] feat: add SNI field to SslDigest for HTTP filter context
 access

Fixes #547

Add sni: Option<String> to SslDigest struct so that the SNI can be
retrieved from req_filter() callbacks via session.digest().ssl_digest.sni.

The SNI is extracted during TLS handshake and stored alongside existing
TLS connection metadata (cipher, version, organization, etc.) in the
SslDigest struct.

Supported across all TLS backends:
- BoringSSL/OpenSSL: via ssl.servername(NameType::HOST_NAME)
- Rustls: via session.server_name()
- s2n: via conn.server_name()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pingora-core/src/protocols/tls/boringssl_openssl/stream.rs | 6 +++++-
 pingora-core/src/protocols/tls/digest.rs                   | 4 ++++
 pingora-core/src/protocols/tls/rustls/stream.rs            | 7 ++++++-
 pingora-core/src/protocols/tls/s2n/stream.rs               | 3 +++
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
index 894244c0..bb021926 100644
--- a/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
+++ b/pingora-core/src/protocols/tls/boringssl_openssl/stream.rs
@@ -209,7 +209,11 @@ impl SslDigest {
             None => (Vec::new(), None, None),
         };
 
-        SslDigest::new(cipher, ssl.version_str(), org, sn, cert_digest)
+        let sni = ssl
+            .servername(ssl::NameType::HOST_NAME)
+            .map(ToOwned::to_owned);
+
+        SslDigest::new(cipher, ssl.version_str(), org, sn, cert_digest, sni)
     }
 }
 
diff --git a/pingora-core/src/protocols/tls/digest.rs b/pingora-core/src/protocols/tls/digest.rs
index 58ecf3b6..765580c9 100644
--- a/pingora-core/src/protocols/tls/digest.rs
+++ b/pingora-core/src/protocols/tls/digest.rs
@@ -31,6 +31,8 @@ pub struct SslDigest {
     pub serial_number: Option<String>,
     /// The digest of the peer's certificate
     pub cert_digest: Vec<u8>,
+    /// The SNI (Server Name Indication) from the TLS handshake
+    pub sni: Option<String>,
     /// The user-defined TLS data
     pub extension: SslDigestExtension,
 }
@@ -43,6 +45,7 @@ impl SslDigest {
         organization: Option<String>,
         serial_number: Option<String>,
         cert_digest: Vec<u8>,
+        sni: Option<String>,
     ) -> Self
     where
         S: Into<Cow<'static, str>>,
@@ -53,6 +56,7 @@ impl SslDigest {
             organization,
             serial_number,
             cert_digest,
+            sni,
             extension: SslDigestExtension::default(),
         }
     }
diff --git a/pingora-core/src/protocols/tls/rustls/stream.rs b/pingora-core/src/protocols/tls/rustls/stream.rs
index f2a0ddae..408ccc99 100644
--- a/pingora-core/src/protocols/tls/rustls/stream.rs
+++ b/pingora-core/src/protocols/tls/rustls/stream.rs
@@ -390,7 +390,12 @@ impl SslDigest {
             .map(|(organization, serial)| (organization, Some(serial)))
             .unwrap_or_default();
 
-        SslDigest::new(cipher, version, organization, serial_number, cert_digest)
+        let sni = match stream {
+            RusTlsStream::Server(s) => s.get_ref().1.server_name().map(ToOwned::to_owned),
+            _ => None,
+        };
+
+        SslDigest::new(cipher, version, organization, serial_number, cert_digest, sni)
     }
 }
 
diff --git a/pingora-core/src/protocols/tls/s2n/stream.rs b/pingora-core/src/protocols/tls/s2n/stream.rs
index 3f12ea44..b455b2e4 100644
--- a/pingora-core/src/protocols/tls/s2n/stream.rs
+++ b/pingora-core/src/protocols/tls/s2n/stream.rs
@@ -307,12 +307,15 @@ impl SslDigest {
             }
         }
 
+        let sni = conn.server_name().map(ToOwned::to_owned);
+
         SslDigest::new(
             cipher,
             version,
             organization,
             serial_number,
             cert_digest.unwrap_or_default(),
+            sni,
         )
     }
 }

From f84f9e7e961966fc63dea07885ab1667a8305c69 Mon Sep 17 00:00:00 2001
From: Nanook <nanookclaw@users.noreply.github.com>
Date: Sun, 12 Apr 2026 08:05:31 +0000
Subject: [PATCH 2/2] style: apply cargo fmt to SslDigest::new call

---
 pingora-core/src/protocols/tls/rustls/stream.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pingora-core/src/protocols/tls/rustls/stream.rs b/pingora-core/src/protocols/tls/rustls/stream.rs
index 408ccc99..10c65335 100644
--- a/pingora-core/src/protocols/tls/rustls/stream.rs
+++ b/pingora-core/src/protocols/tls/rustls/stream.rs
@@ -395,7 +395,14 @@ impl SslDigest {
             _ => None,
         };
 
-        SslDigest::new(cipher, version, organization, serial_number, cert_digest, sni)
+        SslDigest::new(
+            cipher,
+            version,
+            organization,
+            serial_number,
+            cert_digest,
+            sni,
+        )
     }
 }