calebdoxsey/_wildcard.localhost.pomerium.io-key.pem

## _wildcard.localhost.pomerium.io-key.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd3uKr1Xr37jDm
jzB6ID5rAPkS6+7RTBbnM04QXjZsGnmNyvkyE3DVEVkamr+TW3Z6Bz2sQzEfvdFN
uhHqtAMuPGihAtmWPkIqEdEqlldy4svtdSYLA6SGBHq/LgyZ50ZGj93VB0HTspVR
+loO0rSHx/LA6vuS+s2Q7vVj+kXPSkEkIDlDqG2vGWMbJHoyrUcTlrhbvYYKqJCi
z9FRMnUG6guOSFSlGswVfFShUe045bcu1IflJXZfr4RoKENEdNQZT0RxfqwAlJmp
+4zDfRU09abs8ebmP4ViOCqu099WmJvCwDU02jLsWxUAa+tVh2m3K9tJ2zQ4Q/Zx
V7Wb3EG5AgMBAAECggEAdymR9xpAo3wLNTzH3qcP9jzZxMqJjTnd383+EqTKd3bU
YY7f4kiCVpGtrEM6b8QN/bYRe0GMhuUEY6Mbewk9jVzTrRU1oA6GarLgK0En6PP/
8dEHUjEBspcW/8+Ge3TyurhFPVMpAN4/j41lBONOmV73gV7dXegp2khEuZ5jqz61
xdEHiXJkP4t3zwTP4v6KKJtN+rS1PuYTBHUJp74ZcoZf2ke3VEZCILGuImZF4K9L
GyvOpCh56oEaB+fU98A2N0PWulqclXly/0OAgaxfNSyhx1MU1y//QKLuwTusVcEF
oq25DLav7/VR28eCPhDvmgYah+s2O2o+pHi/6K+9wQKBgQDKP9DNHU6zoABwNG6e
J6PeJTTNI3o+Oozy57V961gQInhS3KH71L80LQLDdZbiuOZkSi3YafTNF9K1k5/c
6vXBQLHYFkluBzjSBli91Q09Qhkpo6GjsnY9frXySKfBXMHfen1HR5pwTqUrubyY
1RyD0uU2MVEgTqWHY3EsMUk+NQKBgQDH07xMfH61mTC3UCIwiuPACtErVrg8uDkq
iqSs4YnSlGsAlSCIPPwHUoCnEj8bcC0icRuh7DfQFAjAdYJPNXjKkEcSfDJ+lD96
655WmEHX0QRnp6Petibv05l9lBf3tuhqqajRQ9buR6c0ZEIozZzxTYxxestgPdM1
c7+4yq/19QKBgDEhL2ekJuobg/+9vOFOX9Am2Zy7cYaMUpDvGHduJAZHWVNHpVG3
bHsQNAunFPAeWlkia+CWXJE1qEnTgpH3wZsgTBNh1pSTzIm4YPY8OusWk2Y6CZnq
UC7ACRLB835VOgM/jg8ypaGCeT0V8Wpu2m5rXKK9eCeQ80TgMy25C0HBAoGAD5rr
c5WtV4U1Fru9T8ko7BBsMVQ+Yw+H91iIb6/VUYqhqJP8zGbmz7OTtHhqUTw7ahsn
K0gFO8y0ukLzADiOzFLkGf90+gmdw32vCdguHCqIi4e99mCHPedqbzInhQLVt660
LlN773PNDPxfZkxYW0fRFfOe+k8ZtWzqpgW+JBkCgYEAoGXWEgeb3tiGzpTVJoGE
34QGjLHbt3GUtuxRiwcZ4kf4HNB0nXVumLl8k/XkknGw5yArDbolCdAV+n0uSluu
9TlmKsPrNYX4IildA/gTyHqII6dXM0KMVOSTCgP5n3g1Y8ixYWyi/Bm09uUV1RH8
E0zEr7ka5F+YTCE1I7JLDRg=
-----END PRIVATE KEY-----

## _wildcard.localhost.pomerium.io.pem
-----BEGIN CERTIFICATE-----
MIIEUTCCArmgAwIBAgIQB3WSvOrzomaBSMmAXZGQtDANBgkqhkiG9w0BAQsFADCB
gzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSwwKgYDVQQLDCNjYWxl
YkBjYWxlYi1wYy1saW51eCAoQ2FsZWIgRG94c2V5KTEzMDEGA1UEAwwqbWtjZXJ0
IGNhbGViQGNhbGViLXBjLWxpbnV4IChDYWxlYiBEb3hzZXkpMB4XDTIxMDUyODE3
MzM0OVoXDTIzMDgyODE3MzM0OVowVzEnMCUGA1UEChMebWtjZXJ0IGRldmVsb3Bt
ZW50IGNlcnRpZmljYXRlMSwwKgYDVQQLDCNjYWxlYkBjYWxlYi1wYy1saW51eCAo
Q2FsZWIgRG94c2V5KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3e
4qvVevfuMOaPMHogPmsA+RLr7tFMFuczThBeNmwaeY3K+TITcNURWRqav5NbdnoH
PaxDMR+90U26Eeq0Ay48aKEC2ZY+QioR0SqWV3Liy+11JgsDpIYEer8uDJnnRkaP
3dUHQdOylVH6Wg7StIfH8sDq+5L6zZDu9WP6Rc9KQSQgOUOoba8ZYxskejKtRxOW
uFu9hgqokKLP0VEydQbqC45IVKUazBV8VKFR7Tjlty7Uh+Uldl+vhGgoQ0R01BlP
RHF+rACUman7jMN9FTT1puzx5uY/hWI4Kq7T31aYm8LANTTaMuxbFQBr61WHabcr
20nbNDhD9nFXtZvcQbkCAwEAAaNsMGowDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMB8GA1UdIwQYMBaAFNqyfFlLApmWAgXs/U1L5N/bUNjDMCIG
A1UdEQQbMBmCFyoubG9jYWxob3N0LnBvbWVyaXVtLmlvMA0GCSqGSIb3DQEBCwUA
A4IBgQB1V2UwIgOAawR4PwJPRxsuy93RYeEkA2OLtfuDeYJMjmcbVAYITRFFD6zI
98sa80UNuXloN2HolA/eWvV31eF04Qh64BMgYw3UaPg7aH1iN/B//6OGoI8jNH/e
46FgvrTLjopZR/6+/xkSnn8/BILhYDhfx1HPNkUoId113lwWOxxjq6nLuSAK+/bs
9n4Z1fdYVG2wQdHoBTxhhgabiQoagUZCXRSCG9j1QBNz+lUuHMgaX2fndfv1nSdh
18jQuwPy4SXk7Rl3GAguSUeXxxpO0vyzhcjF3YhL3pT7Ph5tQgrItsl8PyQeBrTt
/kSTjC6moCP6BDpR1utLrNg4iSUwrVLjF7RmYPJtmppa42VDORcVKZS1YNlV9CGc
BWO0sLJhOHi/9cneLbMS8rQMY0uKRLlAnp2TVfTDPgA9lTkeuCamoghP0yyKyYPL
GSCa1yuB7Tl9DnmzsjLfAv63Yw5IMFfF+I/rp5UmEKmcZKL3suBQWVE4mkYVWrOl
XMzqp+4=
-----END CERTIFICATE-----

## envoy-config.yaml
admin:
  access_log_path: "/dev/null"
  address:
    socket_address: { address: 0.0.0.0, port_value: 9901 }

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address: { address: 0.0.0.0, port_value: 10000 }
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                codec_type: AUTO
                route_config:
                  name: wrong-host-badssl
                  virtual_hosts:
                    - name: wrong-host-badssl
                      domains: ["*"]
                      routes:
                        - match: { prefix: "/" }
                          route: { cluster: wrong-host-badssl }
                http_filters:
                  - name: envoy.filters.http.router
                access_log:
                  - name: envoy.access_loggers.file
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                      path: /dev/stdout
                local_reply_config:
                  mappers:
                    - filter:
                        response_flag_filter: {}
                      headers_to_add:
                        - header:
                            key: "X-Example"
                            value: "Example"
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext"
              common_tls_context:
                tls_certificates:
                  - certificate_chain:
                      filename: /mnt/_wildcard.localhost.pomerium.io.pem
                    private_key:
                      filename: /mnt/_wildcard.localhost.pomerium.io-key.pem
                alpn_protocols: ["h2", "http/1.1"]
      listener_filters:
        - name: envoy.filters.listener.tls_inspector
          typed_config:
            "@type": "type.googleapis.com/google.protobuf.Empty"

  clusters:
    - name: wrong-host-badssl
      connect_timeout: "10s"
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: wrong-host-badssl
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: "wrong.host.badssl.com"
                      port_value: 443
                      ipv4_compat: true
                metadata:
                  filter_metadata:
                    envoy.transport_socket_match:
                      ts-5WGDR3PIDELU7GYN9HB2OPTZEVRZY95OUHWFMJ9OIP6NYNIJSH: true
      typed_extension_protocol_options:
        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
          "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
          auto_config: {}
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          common_tls_context:
            validation_context:
              trusted_ca:
                filename: /etc/ssl/certs/ca-certificates.crt
              match_subject_alt_names:
                - exact: wrong.host.badssl.com
            alpn_protocols: ["h2", "http/1.1"]
          sni: wrong.host.badssl.com
      transport_socket_matches:
        name: ts-5WGDR3PIDELU7GYN9HB2OPTZEVRZY95OUHWFMJ9OIP6NYNIJSH
        match:
          ts-5WGDR3PIDELU7GYN9HB2OPTZEVRZY95OUHWFMJ9OIP6NYNIJSH: true
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
            common_tls_context:
              validation_context:
                trusted_ca:
                  filename: /etc/ssl/certs/ca-certificates.crt
                match_subject_alt_names:
                  - exact: wrong.host.badssl.com
              alpn_protocols: ["h2", "http/1.1"]
            sni: wrong.host.badssl.com

## envoy.bash
#!/bin/bash
set -euo pipefail

exec docker run --rm -it \
    -v "$(pwd):/mnt" \
    -p 10000:10000 \
    -p 9901:9901 \
    envoyproxy/envoy:v1.17.3 \
    --log-level trace \
    --bootstrap-version 3 \
    --config-path /mnt/envoy-config.yaml
	-----BEGIN PRIVATE KEY-----
	MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCd3uKr1Xr37jDm
	jzB6ID5rAPkS6+7RTBbnM04QXjZsGnmNyvkyE3DVEVkamr+TW3Z6Bz2sQzEfvdFN
	uhHqtAMuPGihAtmWPkIqEdEqlldy4svtdSYLA6SGBHq/LgyZ50ZGj93VB0HTspVR
	+loO0rSHx/LA6vuS+s2Q7vVj+kXPSkEkIDlDqG2vGWMbJHoyrUcTlrhbvYYKqJCi
	z9FRMnUG6guOSFSlGswVfFShUe045bcu1IflJXZfr4RoKENEdNQZT0RxfqwAlJmp
	+4zDfRU09abs8ebmP4ViOCqu099WmJvCwDU02jLsWxUAa+tVh2m3K9tJ2zQ4Q/Zx
	V7Wb3EG5AgMBAAECggEAdymR9xpAo3wLNTzH3qcP9jzZxMqJjTnd383+EqTKd3bU
	YY7f4kiCVpGtrEM6b8QN/bYRe0GMhuUEY6Mbewk9jVzTrRU1oA6GarLgK0En6PP/
	8dEHUjEBspcW/8+Ge3TyurhFPVMpAN4/j41lBONOmV73gV7dXegp2khEuZ5jqz61
	xdEHiXJkP4t3zwTP4v6KKJtN+rS1PuYTBHUJp74ZcoZf2ke3VEZCILGuImZF4K9L
	GyvOpCh56oEaB+fU98A2N0PWulqclXly/0OAgaxfNSyhx1MU1y//QKLuwTusVcEF
	oq25DLav7/VR28eCPhDvmgYah+s2O2o+pHi/6K+9wQKBgQDKP9DNHU6zoABwNG6e
	J6PeJTTNI3o+Oozy57V961gQInhS3KH71L80LQLDdZbiuOZkSi3YafTNF9K1k5/c
	6vXBQLHYFkluBzjSBli91Q09Qhkpo6GjsnY9frXySKfBXMHfen1HR5pwTqUrubyY
	1RyD0uU2MVEgTqWHY3EsMUk+NQKBgQDH07xMfH61mTC3UCIwiuPACtErVrg8uDkq
	iqSs4YnSlGsAlSCIPPwHUoCnEj8bcC0icRuh7DfQFAjAdYJPNXjKkEcSfDJ+lD96
	655WmEHX0QRnp6Petibv05l9lBf3tuhqqajRQ9buR6c0ZEIozZzxTYxxestgPdM1
	c7+4yq/19QKBgDEhL2ekJuobg/+9vOFOX9Am2Zy7cYaMUpDvGHduJAZHWVNHpVG3
	bHsQNAunFPAeWlkia+CWXJE1qEnTgpH3wZsgTBNh1pSTzIm4YPY8OusWk2Y6CZnq
	UC7ACRLB835VOgM/jg8ypaGCeT0V8Wpu2m5rXKK9eCeQ80TgMy25C0HBAoGAD5rr
	c5WtV4U1Fru9T8ko7BBsMVQ+Yw+H91iIb6/VUYqhqJP8zGbmz7OTtHhqUTw7ahsn
	K0gFO8y0ukLzADiOzFLkGf90+gmdw32vCdguHCqIi4e99mCHPedqbzInhQLVt660
	LlN773PNDPxfZkxYW0fRFfOe+k8ZtWzqpgW+JBkCgYEAoGXWEgeb3tiGzpTVJoGE
	34QGjLHbt3GUtuxRiwcZ4kf4HNB0nXVumLl8k/XkknGw5yArDbolCdAV+n0uSluu
	9TlmKsPrNYX4IildA/gTyHqII6dXM0KMVOSTCgP5n3g1Y8ixYWyi/Bm09uUV1RH8
	E0zEr7ka5F+YTCE1I7JLDRg=
	-----END PRIVATE KEY-----
	-----BEGIN CERTIFICATE-----
	MIIEUTCCArmgAwIBAgIQB3WSvOrzomaBSMmAXZGQtDANBgkqhkiG9w0BAQsFADCB
	gzEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSwwKgYDVQQLDCNjYWxl
	YkBjYWxlYi1wYy1saW51eCAoQ2FsZWIgRG94c2V5KTEzMDEGA1UEAwwqbWtjZXJ0
	IGNhbGViQGNhbGViLXBjLWxpbnV4IChDYWxlYiBEb3hzZXkpMB4XDTIxMDUyODE3
	MzM0OVoXDTIzMDgyODE3MzM0OVowVzEnMCUGA1UEChMebWtjZXJ0IGRldmVsb3Bt
	ZW50IGNlcnRpZmljYXRlMSwwKgYDVQQLDCNjYWxlYkBjYWxlYi1wYy1saW51eCAo
	Q2FsZWIgRG94c2V5KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3e
	4qvVevfuMOaPMHogPmsA+RLr7tFMFuczThBeNmwaeY3K+TITcNURWRqav5NbdnoH
	PaxDMR+90U26Eeq0Ay48aKEC2ZY+QioR0SqWV3Liy+11JgsDpIYEer8uDJnnRkaP
	3dUHQdOylVH6Wg7StIfH8sDq+5L6zZDu9WP6Rc9KQSQgOUOoba8ZYxskejKtRxOW
	uFu9hgqokKLP0VEydQbqC45IVKUazBV8VKFR7Tjlty7Uh+Uldl+vhGgoQ0R01BlP
	RHF+rACUman7jMN9FTT1puzx5uY/hWI4Kq7T31aYm8LANTTaMuxbFQBr61WHabcr
	20nbNDhD9nFXtZvcQbkCAwEAAaNsMGowDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
	MAoGCCsGAQUFBwMBMB8GA1UdIwQYMBaAFNqyfFlLApmWAgXs/U1L5N/bUNjDMCIG
	A1UdEQQbMBmCFyoubG9jYWxob3N0LnBvbWVyaXVtLmlvMA0GCSqGSIb3DQEBCwUA
	A4IBgQB1V2UwIgOAawR4PwJPRxsuy93RYeEkA2OLtfuDeYJMjmcbVAYITRFFD6zI
	98sa80UNuXloN2HolA/eWvV31eF04Qh64BMgYw3UaPg7aH1iN/B//6OGoI8jNH/e
	46FgvrTLjopZR/6+/xkSnn8/BILhYDhfx1HPNkUoId113lwWOxxjq6nLuSAK+/bs
	9n4Z1fdYVG2wQdHoBTxhhgabiQoagUZCXRSCG9j1QBNz+lUuHMgaX2fndfv1nSdh
	18jQuwPy4SXk7Rl3GAguSUeXxxpO0vyzhcjF3YhL3pT7Ph5tQgrItsl8PyQeBrTt
	/kSTjC6moCP6BDpR1utLrNg4iSUwrVLjF7RmYPJtmppa42VDORcVKZS1YNlV9CGc
	BWO0sLJhOHi/9cneLbMS8rQMY0uKRLlAnp2TVfTDPgA9lTkeuCamoghP0yyKyYPL
	GSCa1yuB7Tl9DnmzsjLfAv63Yw5IMFfF+I/rp5UmEKmcZKL3suBQWVE4mkYVWrOl
	XMzqp+4=
	-----END CERTIFICATE-----
	admin:
	access_log_path: "/dev/null"
	address:
	socket_address: { address: 0.0.0.0, port_value: 9901 }

	static_resources:
	listeners:
	- name: listener_0
	address:
	socket_address: { address: 0.0.0.0, port_value: 10000 }
	filter_chains:
	- filters:
	- name: envoy.filters.network.http_connection_manager
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
	stat_prefix: ingress_http
	codec_type: AUTO
	route_config:
	name: wrong-host-badssl
	virtual_hosts:
	- name: wrong-host-badssl
	domains: ["*"]
	routes:
	- match: { prefix: "/" }
	route: { cluster: wrong-host-badssl }
	http_filters:
	- name: envoy.filters.http.router
	access_log:
	- name: envoy.access_loggers.file
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
	path: /dev/stdout
	local_reply_config:
	mappers:
	- filter:
	response_flag_filter: {}
	headers_to_add:
	- header:
	key: "X-Example"
	value: "Example"
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext"
	common_tls_context:
	tls_certificates:
	- certificate_chain:
	filename: /mnt/_wildcard.localhost.pomerium.io.pem
	private_key:
	filename: /mnt/_wildcard.localhost.pomerium.io-key.pem
	alpn_protocols: ["h2", "http/1.1"]
	listener_filters:
	- name: envoy.filters.listener.tls_inspector
	typed_config:
	"@type": "type.googleapis.com/google.protobuf.Empty"

	clusters:
	- name: wrong-host-badssl
	connect_timeout: "10s"
	type: STRICT_DNS
	lb_policy: ROUND_ROBIN
	load_assignment:
	cluster_name: wrong-host-badssl
	endpoints:
	- lb_endpoints:
	- endpoint:
	address:
	socket_address:
	address: "wrong.host.badssl.com"
	port_value: 443
	ipv4_compat: true
	metadata:
	filter_metadata:
	envoy.transport_socket_match:
	ts-5WGDR3PIDELU7GYN9HB2OPTZEVRZY95OUHWFMJ9OIP6NYNIJSH: true
	typed_extension_protocol_options:
	envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
	"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
	auto_config: {}
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
	common_tls_context:
	validation_context:
	trusted_ca:
	filename: /etc/ssl/certs/ca-certificates.crt
	match_subject_alt_names:
	- exact: wrong.host.badssl.com
	alpn_protocols: ["h2", "http/1.1"]
	sni: wrong.host.badssl.com
	transport_socket_matches:
	name: ts-5WGDR3PIDELU7GYN9HB2OPTZEVRZY95OUHWFMJ9OIP6NYNIJSH
	match:
	ts-5WGDR3PIDELU7GYN9HB2OPTZEVRZY95OUHWFMJ9OIP6NYNIJSH: true
	transport_socket:
	name: envoy.transport_sockets.tls
	typed_config:
	"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
	common_tls_context:
	validation_context:
	trusted_ca:
	filename: /etc/ssl/certs/ca-certificates.crt
	match_subject_alt_names:
	- exact: wrong.host.badssl.com
	alpn_protocols: ["h2", "http/1.1"]
	sni: wrong.host.badssl.com
	#!/bin/bash
	set -euo pipefail

	exec docker run --rm -it \
	-v "$(pwd):/mnt" \
	-p 10000:10000 \
	-p 9901:9901 \
	envoyproxy/envoy:v1.17.3 \
	--log-level trace \
	--bootstrap-version 3 \
	--config-path /mnt/envoy-config.yaml