Pass endpoint to the client (#811)

This allows us to automatically set TLS parameters, useful for `boundary connect http` and some other features to come.
6 years ago · d4a6efb363
parent 71ed04db9b
commit d4a6efb363
9 changed files with 101 additions and 46 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -12,6 +12,9 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 * controller: Relax account login name constraints to allow dash as valid character 
  ([Issue](https://github.com/hashicorp/boundary/issues/759))
  ([PR](https://github.com/hashicorp/boundary/pull/806))
+* cli/connect/http: Pass endpoint address through to allow setting TLS server
+  name directly in most cases
+  ([PR](https://github.com/hashicorp/boundary/pull/811))

 ### Bug Fixes

--- a/api/targets/session_authorization.gen.go
+++ b/api/targets/session_authorization.gen.go
@ -17,4 +17,5 @@ type SessionAuthorization struct {
 	HostId             string            `json:"host_id,omitempty"`
 	Type               string            `json:"type,omitempty"`
 	AuthorizationToken string            `json:"authorization_token,omitempty"`
+	Endpoint           string            `json:"endpoint,omitempty"`
 }
--- a/internal/cmd/commands/connect/connect.go
+++ b/internal/cmd/commands/connect/connect.go
@ -734,7 +734,13 @@ func (c *Command) handleExec(passthroughArgs []string) {

 	switch c.Func {
 	case "http":
-		args = append(args, c.httpFlags.buildArgs(c, port, ip, addr)...)
+		httpArgs, err := c.httpFlags.buildArgs(c, port, ip, addr)
+		if err != nil {
+			c.Error(fmt.Sprintf("Error parsing session args: %s", err))
+			c.execCmdReturnValue.Store(int32(3))
+			return
+		}
+		args = append(args, httpArgs...)

 	case "postgres":
 		args = append(args, c.postgresFlags.buildArgs(c, port, ip, addr)...)
--- a/internal/cmd/commands/connect/http.go
+++ b/internal/cmd/commands/connect/http.go
@ -2,6 +2,7 @@ package connect

 import (
 	"fmt"
+	"net/url"
 	"strings"

 	"github.com/hashicorp/boundary/internal/cmd/base"
@ -29,7 +30,7 @@ func httpOptions(c *Command, set *base.FlagSets) {
 		Target:     &c.flagHttpHost,
 		EnvVar:     "BOUNDARY_CONNECT_HTTP_HOST",
 		Completion: complete.PredictNothing,
-		Usage:      `Specifies the host value to use. The specified hostname will be passed through to the client (if supported) for use in the Host header and TLS SNI value.`,
+		Usage:      `Specifies the host value to use, overriding the endpoint address from the session information. The specified hostname will be passed through to the client (if supported) for use in the Host header and TLS SNI value.`,
 	})

 	f.StringVar(&base.StringVar{
@ -70,19 +71,28 @@ func (h *httpFlags) defaultExec() string {
 	return strings.ToLower(h.flagHttpStyle)
 }

-func (h *httpFlags) buildArgs(c *Command, port, ip, addr string) []string {
+func (h *httpFlags) buildArgs(c *Command, port, ip, addr string) ([]string, error) {
 	var args []string
+	host := h.flagHttpHost
+	if host == "" && c.sessionAuthzData.GetEndpoint() != "" {
+		hostUrl := c.sessionAuthzData.GetEndpoint()
+		u, err := url.Parse(hostUrl)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing endpoint URL: %w", err)
+		}
+		host = u.Hostname()
+	}
 	switch h.flagHttpStyle {
 	case "curl":
 		if h.flagHttpMethod != "" {
 			args = append(args, "-X", h.flagHttpMethod)
 		}
 		var uri string
-		if h.flagHttpHost != "" {
-			h.flagHttpHost = strings.TrimSuffix(h.flagHttpHost, "/")
-			args = append(args, "-H", fmt.Sprintf("Host: %s", h.flagHttpHost))
-			args = append(args, "--resolve", fmt.Sprintf("%s:%s:%s", h.flagHttpHost, port, ip))
-			uri = fmt.Sprintf("%s://%s:%s", h.flagHttpScheme, h.flagHttpHost, port)
+		if host != "" {
+			host = strings.TrimSuffix(host, "/")
+			args = append(args, "-H", fmt.Sprintf("Host: %s", host))
+			args = append(args, "--resolve", fmt.Sprintf("%s:%s:%s", host, port, ip))
+			uri = fmt.Sprintf("%s://%s:%s", h.flagHttpScheme, host, port)
 		} else {
 			uri = fmt.Sprintf("%s://%s", h.flagHttpScheme, addr)
 		}
@ -91,5 +101,5 @@ func (h *httpFlags) buildArgs(c *Command, port, ip, addr string) []string {
 		}
 		args = append(args, uri)
 	}
-	return args
+	return args, nil
 }
--- a/internal/cmd/commands/targets/funcs.go
+++ b/internal/cmd/commands/targets/funcs.go
@ -99,6 +99,7 @@ func generateAuthorizationTableOutput(in *targets.SessionAuthorization) string {
 		"Scope ID":            in.Scope.Id,
 		"User ID":             in.UserId,
 		"Host ID":             in.HostId,
+		"Endpoint":            in.Endpoint,
 		"Created Time":        in.CreatedTime.Local().Format(time.RFC1123),
 		"Type":                in.Type,
 		"Authorization Token": in.AuthorizationToken,
--- a/internal/gen/controller.swagger.json
+++ b/internal/gen/controller.swagger.json
@ -3151,6 +3151,11 @@
          "type": "string",
          "description": "Output only. The marshaled SessionAuthorizationData message containing all information that the proxy needs.",
          "readOnly": true
+        },
+        "endpoint": {
+          "type": "string",
+          "description": "Output only. The endpoint address that the worker will connect to, useful for setting TLS parameters.",
+          "readOnly": true
        }
      },
      "description": "SessionAuthorization contains all fields related to authorization for a Session. It's in the Targets package because it's returned by a Target's authorize action."
--- a/internal/gen/controller/api/resources/targets/target.pb.go
+++ b/internal/gen/controller/api/resources/targets/target.pb.go
@ -376,6 +376,8 @@ type SessionAuthorizationData struct {
 	PrivateKey []byte `protobuf:"bytes,130,opt,name=private_key,proto3" json:"private_key,omitempty"`
 	// Output only. The host ID...not used for security purposes, but for some special command handling (e.g. ssh host key aliasing).
 	HostId string `protobuf:"bytes,140,opt,name=host_id,json=hostId,proto3" json:"host_id,omitempty"`
+	// Output only. The endpoint, for some special command handling.
+	Endpoint string `protobuf:"bytes,141,opt,name=endpoint,proto3" json:"endpoint,omitempty"`
 	// Output only. Worker information. The first worker in the array should be prioritized.
 	WorkerInfo []*WorkerInfo `protobuf:"bytes,150,rep,name=worker_info,proto3" json:"worker_info,omitempty"`
 }
@ -475,6 +477,13 @@ func (x *SessionAuthorizationData) GetHostId() string {
 	return ""
 }

+func (x *SessionAuthorizationData) GetEndpoint() string {
+	if x != nil {
+		return x.Endpoint
+	}
+	return ""
+}
+
 func (x *SessionAuthorizationData) GetWorkerInfo() []*WorkerInfo {
 	if x != nil {
 		return x.WorkerInfo
@ -506,6 +515,8 @@ type SessionAuthorization struct {
 	Type string `protobuf:"bytes,80,opt,name=type,proto3" json:"type,omitempty"`
 	// Output only. The marshaled SessionAuthorizationData message containing all information that the proxy needs.
 	AuthorizationToken string `protobuf:"bytes,90,opt,name=authorization_token,proto3" json:"authorization_token,omitempty"`
+	// Output only. The endpoint address that the worker will connect to, useful for setting TLS parameters.
+	Endpoint string `protobuf:"bytes,100,opt,name=endpoint,proto3" json:"endpoint,omitempty"`
 }

 func (x *SessionAuthorization) Reset() {
@ -603,6 +614,13 @@ func (x *SessionAuthorization) GetAuthorizationToken() string {
 	return ""
 }

+func (x *SessionAuthorization) GetEndpoint() string {
+	if x != nil {
+		return x.Endpoint
+	}
+	return ""
+}
+
 var File_controller_api_resources_targets_v1_target_proto protoreflect.FileDescriptor

 var file_controller_api_resources_targets_v1_target_proto_rawDesc = []byte{
@ -696,7 +714,7 @@ var file_controller_api_resources_targets_v1_target_proto_rawDesc = []byte{
 	0x6f, 0x72, 0x74, 0x52, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x70, 0x6f, 0x72,
 	0x74, 0x22, 0x26, 0x0a, 0x0a, 0x57, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x12,
 	0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0xd0, 0x03, 0x0a, 0x18, 0x53, 0x65,
+	0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0xed, 0x03, 0x0a, 0x18, 0x53, 0x65,
 	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
 	0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f,
 	0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x73, 0x73,
@ -720,42 +738,45 @@ var file_controller_api_resources_targets_v1_target_proto_rawDesc = []byte{
 	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x82, 0x01, 0x20, 0x01, 0x28,
 	0x0c, 0x52, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x18,
 	0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x8c, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64, 0x12, 0x52, 0x0a, 0x0b, 0x77, 0x6f, 0x72, 0x6b,
-	0x65, 0x72, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x96, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f,
-	0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x61, 0x70, 0x69, 0x2e,
-	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74,
-	0x73, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x52,
-	0x0b, 0x77, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x22, 0xf5, 0x02, 0x0a,
-	0x14, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
-	0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69,
-	0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f,
-	0x69, 0x64, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74,
-	0x5f, 0x69, 0x64, 0x12, 0x43, 0x0a, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x1e, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e,
-	0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x73, 0x63,
-	0x6f, 0x70, 0x65, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x49, 0x6e, 0x66,
-	0x6f, 0x52, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x3e, 0x0a, 0x0c, 0x63, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x28, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72,
-	0x5f, 0x69, 0x64, 0x18, 0x32, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f,
-	0x69, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69,
-	0x64, 0x18, 0x3c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65,
-	0x74, 0x5f, 0x69, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18,
-	0x46, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x12, 0x12,
-	0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x50, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79,
-	0x70, 0x65, 0x12, 0x30, 0x0a, 0x13, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x5a, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x13, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74,
-	0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x55, 0x5a, 0x53, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75,
-	0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67,
-	0x65, 0x6e, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70,
-	0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x74, 0x61, 0x72, 0x67,
-	0x65, 0x74, 0x73, 0x3b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x33,
+	0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70,
+	0x6f, 0x69, 0x6e, 0x74, 0x18, 0x8d, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x65, 0x6e, 0x64,
+	0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x52, 0x0a, 0x0b, 0x77, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x5f,
+	0x69, 0x6e, 0x66, 0x6f, 0x18, 0x96, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x63, 0x6f,
+	0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x2e, 0x76,
+	0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0b, 0x77, 0x6f,
+	0x72, 0x6b, 0x65, 0x72, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x22, 0x91, 0x03, 0x0a, 0x14, 0x53, 0x65,
+	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64,
+	0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f,
+	0x69, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18,
+	0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x64,
+	0x12, 0x43, 0x0a, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x1e, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x2d, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x73, 0x63, 0x6f, 0x70, 0x65,
+	0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x05,
+	0x73, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x3e, 0x0a, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64,
+	0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x28, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64,
+	0x5f, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64,
+	0x18, 0x32, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x12,
+	0x20, 0x0a, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x3c,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69,
+	0x64, 0x12, 0x18, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x46, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x74,
+	0x79, 0x70, 0x65, 0x18, 0x50, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12,
+	0x30, 0x0a, 0x13, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x5a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x61, 0x75,
+	0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65,
+	0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x64, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x42, 0x55, 0x5a,
+	0x53, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68,
+	0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f, 0x69,
+	0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x63, 0x6f, 0x6e, 0x74,
+	0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x73, 0x2f, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x3b, 0x74, 0x61, 0x72,
+	0x67, 0x65, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/internal/proto/local/controller/api/resources/targets/v1/target.proto
+++ b/internal/proto/local/controller/api/resources/targets/v1/target.proto
@ -105,6 +105,9 @@ message SessionAuthorizationData {
 	// Output only. The host ID...not used for security purposes, but for some special command handling (e.g. ssh host key aliasing).
 	string host_id = 140;

+	// Output only. The endpoint, for some special command handling.
+	string endpoint = 141;
+
 	// Output only. Worker information. The first worker in the array should be prioritized.
 	repeated WorkerInfo worker_info = 150 [json_name="worker_info"];
 }
@ -137,4 +140,7 @@ message SessionAuthorization {

 	// Output only. The marshaled SessionAuthorizationData message containing all information that the proxy needs.
 	string authorization_token = 90 [json_name="authorization_token"];
+
+	// Output only. The endpoint address that the worker will connect to, useful for setting TLS parameters.
+	string endpoint = 100;
 }
--- a/internal/servers/controller/handlers/targets/target_service.go
+++ b/internal/servers/controller/handlers/targets/target_service.go
@ -416,6 +416,7 @@ HostSetIterationLoop:
 		Certificate:     sess.Certificate,
 		PrivateKey:      privKey,
 		HostId:          chosenId.hostId,
+		Endpoint:        endpointUrl.String(),
 		WorkerInfo:      workers,
 		ConnectionLimit: t.GetSessionConnectionLimit(),
 	}
@ -435,6 +436,7 @@ HostSetIterationLoop:
 		UserId:             authResults.UserId,
 		HostId:             chosenId.hostId,
 		HostSetId:          chosenId.hostSetId,
+		Endpoint:           endpointUrl.String(),
 	}
 	return &pbs.AuthorizeSessionResponse{Item: ret}, nil
 }