Good idea, done. Thanks. That improvement will go out with beta 12.
Tangentially: In the future, I’m hoping we’ll be able to enable HTTPS by default for all servers, regardless of their ports (except port 80) or domain names – but this’ll require a good way to manage certificates for non-public hostnames, and to know when the hostnames aren’t public.
Looks like for such catchall configs, the logs entry is also needed for http access logs:
Like for “tls_connection_policies”, it would be nice to make this also not required.
Imo for public hostnames it’s already close to perfect.
Extending it to private hostnames - could be good but has the potential to add a lot of complexity. It would be useful for mostly enterprise folks - but most of them like to run their own CA for such internal certificates and like to control this tightly. Could be worth fleshing this out with some motivated potential users.
Determining internal hostnames is tricky but one proxy is to use the Google DNS API to check if a newly encountered hostname has some public record.