add option to set TLS Server Name

server/db/schemas/schema.ts

@@ -77,7 +77,8 @@ export const resources = sqliteTable("resources", {
     applyRules: integer("applyRules", { mode: "boolean" })
         .notNull()
         .default(false),
-    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true)
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    tlsServerName: text("tlsServerName").notNull().default("")
 });
 
 export const targets = sqliteTable("targets", {

server/lib/schemas.ts

@@ -9,3 +9,10 @@ export const subdomainSchema = z
     .min(1, "Subdomain must be at least 1 character long")
     .transform((val) => val.toLowerCase());
 
+export const tlsNameSchema = z
+    .string()
+    .regex(
+        /^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9-_]+$|^$/,
+        "Invalid subdomain format"
+    )
+    .transform((val) => val.toLowerCase());

server/routers/resource/listResources.ts

@@ -68,7 +68,8 @@ function queryResources(
                 http: resources.http,
                 protocol: resources.protocol,
                 proxyPort: resources.proxyPort,
-                enabled: resources.enabled
+                enabled: resources.enabled,
+                tlsServerName: resources.tlsServerName
             })
             .from(resources)
             .leftJoin(sites, eq(resources.siteId, sites.siteId))
@@ -102,7 +103,8 @@ function queryResources(
                 http: resources.http,
                 protocol: resources.protocol,
                 proxyPort: resources.proxyPort,
-                enabled: resources.enabled
+                enabled: resources.enabled,
+                tlsServerName: resources.tlsServerName
             })
             .from(resources)
             .leftJoin(sites, eq(resources.siteId, sites.siteId))

server/routers/resource/updateResource.ts

@@ -16,7 +16,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import config from "@server/lib/config";
-import { subdomainSchema } from "@server/lib/schemas";
+import { subdomainSchema, tlsNameSchema } from "@server/lib/schemas";
 
 const updateResourceParamsSchema = z
     .object({
@@ -40,7 +40,8 @@ const updateHttpResourceBodySchema = z
         isBaseDomain: z.boolean().optional(),
         applyRules: z.boolean().optional(),
         domainId: z.string().optional(),
-        enabled: z.boolean().optional()
+        enabled: z.boolean().optional(),
+        tlsServerName: z.string().optional()
     })
     .strict()
     .refine((data) => Object.keys(data).length > 0, {
@@ -67,6 +68,15 @@ const updateHttpResourceBodySchema = z
         {
             message: "Base domain resources are not allowed"
         }
+    )
+    .refine(
+        (data) => {
+            if (data.tlsServerName) {
+                return tlsNameSchema.safeParse(data.tlsServerName).success;
+            }
+            return true;
+        },
+        { message: "Invalid TLS Server Name. Use domain name format, or save empty to remove the TLS Server Name." }
     );
 
 export type UpdateResourceResponse = Resource;

server/routers/traefik/getTraefikConfig.ts

@@ -40,7 +40,8 @@ export async function traefikConfigProvider(
                     org: {
                         orgId: orgs.orgId
                     },
-                    enabled: resources.enabled
+                    enabled: resources.enabled,
+                    tlsServerName: resources.tlsServerName
                 })
                 .from(resources)
                 .innerJoin(sites, eq(sites.siteId, resources.siteId))
@@ -139,6 +140,7 @@ export async function traefikConfigProvider(
             const routerName = `${resource.resourceId}-router`;
             const serviceName = `${resource.resourceId}-service`;
             const fullDomain = `${resource.fullDomain}`;
+            const transportName = `${resource.resourceId}-transport`;
 
             if (!resource.enabled) {
                 continue;
@@ -278,6 +280,21 @@ export async function traefikConfigProvider(
                             })
                     }
                 };
+
+                // Add the serversTransport if TLS server name is provided
+                if (resource.tlsServerName) {
+                    if (!config_output.http.serversTransports) {
+                        config_output.http.serversTransports = {};
+                    }
+                    config_output.http.serversTransports![transportName] = {
+                        serverName: resource.tlsServerName,
+                        //unfortunately the following needs to be set. traefik doesn't merge the default serverTransport settings 
+                        // if defined in the static config and here. if not set, self-signed certs won't work
+                        insecureSkipVerify: true
+                    };
+                    config_output.http.services![serviceName].loadBalancer.serversTransport = transportName;
+                }
+
             } else {
                 // Non-HTTP (TCP/UDP) configuration
                 const protocol = resource.protocol.toLowerCase();