Skip to content

docs: NGF SNI configuration #1764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sjberman merged 1 commit into from
Mar 11, 2026
Merged

docs: NGF SNI configuration #1764

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions content/includes/ngf/sni-https.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
nd-product: FABRIC
---

## HTTPS Traffic without SNI (Server Name Indication)

Some frontend load balancers strip out SNI information before the traffic reaches the NGINX gateway. In order for NGINX to still process and forward this traffic properly, you must define your HTTPS Listener without a hostname. This instructs NGINX Gateway Fabric to configure a default HTTPS virtual server to handle non-SNI traffic. The TLS configuration on this Listener will be used to verify and terminate TLS for this traffic, before the Host header is then used to forward to the proper virtual server to handle the request. You can attach your HTTPRoutes to this empty Listener.

By default, NGINX Gateway Fabric verifies that the Listener hostname matches both the SNI and Host header on an incoming client request. This does not require the SNI and Host header to be the same. This is to avoid misdirected requests, and returns a 421 response code. If you run into issues and want to disable this SNI/Host verification, you can update the [NginxProxy CRD]({{< ref "/ngf/how-to/data-plane-configuration.md" >}}) with the following field in the spec:

```yaml
spec:
disableSNIHostValidation: true
```
4 changes: 4 additions & 0 deletions content/ngf/traffic-management/https-termination.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,8 +276,12 @@ Server address: 10.244.0.6:80
Server name: coffee-6b8b6d6486-7fc78
```

{{< include "ngf/sni-https.md" >}}

## See also

To set up a production-ready integration with cert-manager for HTTPS traffic, see the [Secure traffic using Let's Encrypt]({{< ref "/ngf/traffic-security/integrate-cert-manager.md" >}}) guide.

To learn more about redirects using the Gateway API, see the following resource:

- [Gateway API Redirects](https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/)
2 changes: 2 additions & 0 deletions content/ngf/traffic-security/integrate-cert-manager.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,8 @@ Request ID: e64c54a2ac253375ac085d48980f000a
<...>
```

{{< include "ngf/sni-https.md" >}}

---

## See also
Expand Down
Loading