feat(tls): trie-based reverse-hostname router for SNI matching #122
Description
Summary
Implement a trie-based domain router that processes hostnames in reverse (TLD-first) for efficient SNI and hostname matching, especially at scale with large numbers of domains and wildcard patterns.
Motivation
The current SNI resolution approach may not scale optimally when handling thousands of domains with mixed exact-match and wildcard patterns. A trie structure that processes hostnames in reverse (e.g., com.example.api instead of api.example.com) allows natural prefix matching at each label boundary, making wildcard lookups (*.example.com) a simple subtree match.
Prior Art
sozu-proxy implements this pattern in their TrieNode router (lib/src/router/pattern_trie.rs). Hostnames are reversed and inserted label-by-label into a trie, with wildcards and regex patterns supported at leaf nodes. This gives O(label-count) lookup regardless of total domain count.
Proposed Design
- Build a
TrieNode<V>structure where each node represents a DNS label - Insert hostnames reversed:
api.example.combecomes pathcom -> example -> api - Wildcard entries (
*.example.com) match any child at that level - Support exact-match priority over wildcard matches
- Use for both SNI certificate resolution and route hostname matching
Benefits
- O(k) lookup where k = number of labels in the hostname (typically 2-4), independent of total domain count
- Natural wildcard matching without linear scans
- Memory-efficient for domains sharing common suffixes (e.g., thousands of
*.example.comsubdomains)