caddytls: Support wildcard matching in ServerName conn policy matcher

modules/caddytls/connpolicy.go

@@ -76,6 +76,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 	// using ServerName to match policies is extremely common, especially in configs
 	// with lots and lots of different policies; we can fast-track those by indexing
 	// them by SNI, so we don't have to iterate potentially thousands of policies
+	// (TODO: this map does not account for wildcards, see if this is a problem in practice?)
 	indexedBySNI := make(map[string]ConnectionPolicies)
 	if len(cp) > 30 {
 		for _, p := range cp {

modules/caddytls/matchers.go

@@ -16,6 +16,7 @@ package caddytls
 
 import (
 	"crypto/tls"
+	"strings"
 
 	"github.com/caddyserver/caddy/v2"
 )
@@ -24,7 +25,9 @@ func init() {
 	caddy.RegisterModule(MatchServerName{})
 }
 
-// MatchServerName matches based on SNI.
+// MatchServerName matches based on SNI. Names in
+// this list may use left-most-label wildcards,
+// similar to wildcard certificates.
 type MatchServerName []string
 
 // CaddyModule returns the Caddy module information.
@@ -38,10 +41,23 @@ func (MatchServerName) CaddyModule() caddy.ModuleInfo {
 // Match matches hello based on SNI.
 func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
 	for _, name := range m {
-		// TODO: support wildcards (and regex?)
 		if hello.ServerName == name {
 			return true
 		}
+
+		// check for wildcard match on this name, but only
+		// bother if there is even a wildcard character
+		if !strings.Contains(name, "*") {
+			continue
+		}
+		labels := strings.Split(hello.ServerName, ".")
+		for i := range labels {
+			labels[i] = "*"
+			candidate := strings.Join(labels, ".")
+			if candidate == name {
+				return true
+			}
+		}
 	}
 	return false
 }

modules/caddytls/matchers_test.go

@@ -0,0 +1,86 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddytls
+
+import (
+	"crypto/tls"
+	"testing"
+)
+
+func TestServerNameMatcher(t *testing.T) {
+	for i, tc := range []struct {
+		names  []string
+		input  string
+		expect bool
+	}{
+		{
+			names:  []string{"example.com"},
+			input:  "example.com",
+			expect: true,
+		},
+		{
+			names:  []string{"example.com"},
+			input:  "foo.com",
+			expect: false,
+		},
+		{
+			names:  []string{"example.com"},
+			input:  "",
+			expect: false,
+		},
+		{
+			names:  []string{},
+			input:  "",
+			expect: false,
+		},
+		{
+			names:  []string{"foo", "example.com"},
+			input:  "example.com",
+			expect: true,
+		},
+		{
+			names:  []string{"foo", "example.com"},
+			input:  "sub.example.com",
+			expect: false,
+		},
+		{
+			names:  []string{"foo", "example.com"},
+			input:  "foo.com",
+			expect: false,
+		},
+		{
+			names:  []string{"*.example.com"},
+			input:  "example.com",
+			expect: false,
+		},
+		{
+			names:  []string{"*.example.com"},
+			input:  "sub.example.com",
+			expect: true,
+		},
+		{
+			names:  []string{"*.example.com", "*.sub.example.com"},
+			input:  "sub2.sub.example.com",
+			expect: true,
+		},
+	} {
+		chi := &tls.ClientHelloInfo{ServerName: tc.input}
+		actual := MatchServerName(tc.names).Match(chi)
+		if actual != tc.expect {
+			t.Errorf("Test %d: Expected %t but got %t (input=%s match=%v)",
+				i, tc.expect, actual, tc.input, tc.names)
+		}
+	}
+}