BackendTLS Policy support is not working

[prasadrajesh]

Describe the bug
While testing with BackendTLS Policy I am getting below error. I am trying connect backend "Istio ingress gateway" where enabled TLS.
[error] 30#30: *1 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream

I went to google and found that I should specify "proxy_ssl_server_name on;" (Ref-https://stackoverflow.com/a/59987689) and it working if I am adding manually "proxy_ssl_server_name on;". also checked official nginx page where they said it required when establishing a connection with the proxied HTTPS server.

I think template doesn't have that parameter.

To Reproduce
Steps to reproduce the behavior:

1. Deploy this through latest helm chart.
2. Follow the document https://github.com/nginxinc/nginx-gateway-fabric/blob/main/site/content/how-to/traffic-management/securing-backend-traffic.md

Expected behavior
Server's location block should have "proxy_ssl_server_name on;" If I am using "BackendTLS Policy support".

Your environment

• Version of the NGINX Gateway Fabric - release version or a specific commit. The first line of the nginx-gateway container logs includes the commit info.
  ❯ kl ngf-nginx-gateway-fabric-58b5879fd7-2h8ll | head -10 Defaulted container "nginx-gateway" out of: nginx-gateway, nginx {"level":"info","ts":"2024-04-17T13:38:56Z","msg":"Starting NGINX Gateway Fabric in static mode","version":"1.2.0","commit":"d8c67792561eb2a0c94b17e4d2674295277005c6","date":"2024-03-21T15:46:51Z"}

• Version of Kubernetes
  ❯ kubectl version Client Version: v1.29.4 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.5

• Kubernetes platform (e.g. Mini-kube or GCP)
  AKS

• Details on how you expose the NGINX Gateway Fabric Pod (e.g. Service of type LoadBalancer or port-forward)
  LoadBalancer

• Logs of NGINX container: kubectl -n nginx-gateway logs -l app=nginx-gateway -c nginx
2024/04/17 13:40:39 [error] 49#49: *19 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: x.x.x.x, server: test1.prod.test.net, request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/", host: "test1.prod.test.net" x.x.x.x - - [17/Apr/2024:13:40:39 +0000] "GET / HTTP/1.1" 502 157 "-" "curl/7.68.0"

• NGINX Configuration: kubectl -n nginx-gateway exec <gateway-pod> -c nginx -- nginx -T
  `
  upstream nginx-gateway_example-service_443 {
  random two least_conn;
  zone nginx-gateway_example-service_443 512k;

  server x.x.x.x:443;
  }
  server {
  listen 443 ssl;
  ssl_certificate /etc/nginx/mail.pem;
  ssl_certificate_key /etc/nginx/mail_key.pem;

  if ($ssl_server_name != $host) {
  return 421;
  }

  server_name test1.prod.test.net;

  location / {
  proxy_set_header Host "$gw_api_compliant_host";
  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
  proxy_set_header Upgrade "$http_upgrade";
  proxy_set_header Connection "$connection_upgrade";
  proxy_http_version 1.1;
  proxy_pass https://nginx-gateway_example-service_443$request_uri;
  proxy_ssl_verify on;
  proxy_ssl_name test1.prod.test.net;
  proxy_ssl_server_name on;
  proxy_ssl_trusted_certificate /etc/nginx/ca.pem;
  }

}`

Additional context
In above example I am using cert inside nginx or backend cert (assigned to istio) that is signed by digicert.

[sjberman]

@prasadrajesh Thanks for opening this issue. We'll take a look soon, but feel free to open a PR with the fix if you'd like!

[mpstefan]

Thanks for this bug report! From what we can tell, you're right - in some situations, this directive is required when we have multiple backends that terminate TLS with different certificates and names.

For anyone who picks this up, it looks like we'll just need to add "proxy_ssl_server_name on;" to our template.