Restructure TLS options

- Moved certification related functions into tlscert module
- Added specific host TLS behavior logic
- Added support for disabling SNI and manually overwrite preferred certificate to serve
- Fixed SSO requestHeaders null bug

src/mod/dynamicproxy/Server.go

@@ -61,7 +61,7 @@ func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		hostPath := strings.Split(r.Host, ":")
 		domainOnly = hostPath[0]
 	}
-	sep := h.Parent.getProxyEndpointFromHostname(domainOnly)
+	sep := h.Parent.GetProxyEndpointFromHostname(domainOnly)
 	if sep != nil && !sep.Disabled {
 		//Matching proxy rule found
 		//Access Check (blacklist / whitelist)

src/mod/dynamicproxy/certificate.go

@@ -0,0 +1,59 @@
+package dynamicproxy
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"imuslab.com/zoraxy/mod/tlscert"
+)
+
+func (router *Router) ResolveHostSpecificTlsBehaviorForHostname(hostname string) (*tlscert.HostSpecificTlsBehavior, error) {
+	if hostname == "" {
+		return nil, errors.New("hostname cannot be empty")
+	}
+
+	ept := router.GetProxyEndpointFromHostname(hostname)
+	if ept == nil {
+		return tlscert.GetDefaultHostSpecificTlsBehavior(), nil
+	}
+
+	// Check if the endpoint has a specific TLS behavior
+	if ept.TlsOptions != nil {
+		imported := &tlscert.HostSpecificTlsBehavior{}
+		router.tlsBehaviorMutex.RLock()
+		// Deep copy the TlsOptions using JSON marshal/unmarshal
+		data, err := json.Marshal(ept.TlsOptions)
+		if err != nil {
+			router.tlsBehaviorMutex.RUnlock()
+			return nil, fmt.Errorf("failed to deepcopy TlsOptions: %w", err)
+		}
+		router.tlsBehaviorMutex.RUnlock()
+		if err := json.Unmarshal(data, imported); err != nil {
+			return nil, fmt.Errorf("failed to deepcopy TlsOptions: %w", err)
+		}
+		return imported, nil
+	}
+
+	return tlscert.GetDefaultHostSpecificTlsBehavior(), nil
+}
+
+func (router *Router) SetPreferredCertificateForDomain(ept *ProxyEndpoint, domain string, certName string) error {
+	if ept == nil || certName == "" {
+		return errors.New("endpoint and certificate name cannot be empty")
+	}
+
+	// Set the preferred certificate for the endpoint
+	if ept.TlsOptions == nil {
+		ept.TlsOptions = tlscert.GetDefaultHostSpecificTlsBehavior()
+	}
+
+	router.tlsBehaviorMutex.Lock()
+	if ept.TlsOptions.PreferredCertificate == nil {
+		ept.TlsOptions.PreferredCertificate = make(map[string]string)
+	}
+	ept.TlsOptions.PreferredCertificate[domain] = certName
+	router.tlsBehaviorMutex.Unlock()
+
+	return nil
+}

src/mod/dynamicproxy/dynamicproxy.go

@@ -111,7 +111,7 @@ func (router *Router) StartProxyService() error {
 						hostPath := strings.Split(r.Host, ":")
 						domainOnly = hostPath[0]
 					}
-					sep := router.getProxyEndpointFromHostname(domainOnly)
+					sep := router.GetProxyEndpointFromHostname(domainOnly)
 					if sep != nil && sep.BypassGlobalTLS {
 						//Allow routing via non-TLS handler
 						originalHostHeader := r.Host
@@ -335,7 +335,7 @@ func (router *Router) IsProxiedSubdomain(r *http.Request) bool {
 		hostname = r.Host
 	}
 	hostname = strings.Split(hostname, ":")[0]
-	subdEndpoint := router.getProxyEndpointFromHostname(hostname)
+	subdEndpoint := router.GetProxyEndpointFromHostname(hostname)
 	return subdEndpoint != nil
 }
 

src/mod/dynamicproxy/proxyRequestHandler.go

@@ -34,7 +34,7 @@ func (router *Router) getTargetProxyEndpointFromRequestURI(requestURI string) *P
 }
 
 // Get the proxy endpoint from hostname, which might includes checking of wildcard certificates
-func (router *Router) getProxyEndpointFromHostname(hostname string) *ProxyEndpoint {
+func (router *Router) GetProxyEndpointFromHostname(hostname string) *ProxyEndpoint {
 	var targetSubdomainEndpoint *ProxyEndpoint = nil
 	hostname = strings.ToLower(hostname)
 	ep, ok := router.ProxyEndpoints.Load(hostname)
@@ -63,7 +63,7 @@ func (router *Router) getProxyEndpointFromHostname(hostname string) *ProxyEndpoi
 		}
 
 		//Wildcard not match. Check for alias
-		if ep.MatchingDomainAlias != nil && len(ep.MatchingDomainAlias) > 0 {
+		if len(ep.MatchingDomainAlias) > 0 {
 			for _, aliasDomain := range ep.MatchingDomainAlias {
 				match, err := filepath.Match(aliasDomain, hostname)
 				if err != nil {

src/mod/dynamicproxy/typedef.go

@@ -75,16 +75,20 @@ type RouterOption struct {
 /* Router Object */
 type Router struct {
 	Option         *RouterOption
-	ProxyEndpoints *sync.Map                 //Map of ProxyEndpoint objects, each ProxyEndpoint object is a routing rule that handle incoming requests
-	Running        bool                      //If the router is running
-	Root           *ProxyEndpoint            //Root proxy endpoint, default site
-	mux            http.Handler              //HTTP handler
-	server         *http.Server              //HTTP server
-	tlsListener    net.Listener              //TLS listener, handle SNI routing
-	loadBalancer   *loadbalance.RouteManager //Load balancer routing manager
-	routingRules   []*RoutingRule            //Special routing rules, handle high priority routing like ACME request handling
+	ProxyEndpoints *sync.Map      //Map of ProxyEndpoint objects, each ProxyEndpoint object is a routing rule that handle incoming requests
+	Running        bool           //If the router is running
+	Root           *ProxyEndpoint //Root proxy endpoint, default site
+
+	/* Internals */
+	mux          http.Handler              //HTTP handler
+	server       *http.Server              //HTTP server
+	loadBalancer *loadbalance.RouteManager //Load balancer routing manager
+	routingRules []*RoutingRule            //Special routing rules, handle high priority routing like ACME request handling
+
+	tlsListener      net.Listener //TLS listener, handle SNI routing
+	tlsBehaviorMutex sync.RWMutex //Mutex for tlsBehavior map
+	tlsRedirectStop  chan bool    //Stop channel for tls redirection server
 
-	tlsRedirectStop  chan bool              //Stop channel for tls redirection server
 	rateLimterStop   chan bool              //Stop channel for rate limiter
 	rateLimitCounter RequestCountPerIpTable //Request counter for rate limter
 }

src/mod/tlscert/certgen.go

@@ -0,0 +1,93 @@
+package tlscert
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// GenerateSelfSignedCertificate generates a self-signed ECDSA certificate and saves it to the specified files.
+func (m *Manager) GenerateSelfSignedCertificate(cn string, sans []string, certFile string, keyFile string) error {
+	// Generate private key (ECDSA P-256)
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to generate private key", err)
+		return err
+	}
+
+	// Create certificate template
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject: pkix.Name{
+			CommonName:         cn,                   // Common Name for the certificate
+			Organization:       []string{"aroz.org"}, // Organization name
+			OrganizationalUnit: []string{"Zoraxy"},   // Organizational Unit
+			Country:            []string{"US"},       // Country code
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(365 * 24 * time.Hour), // valid for 1 year
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              sans, // Subject Alternative Names
+	}
+
+	// Create self-signed certificate
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to create certificate", err)
+		return err
+	}
+
+	// Remove old certificate file if it exists
+	certPath := filepath.Join(m.CertStore, certFile)
+	if _, err := os.Stat(certPath); err == nil {
+		os.Remove(certPath)
+	}
+
+	// Remove old key file if it exists
+	keyPath := filepath.Join(m.CertStore, keyFile)
+	if _, err := os.Stat(keyPath); err == nil {
+		os.Remove(keyPath)
+	}
+
+	// Write certificate to file
+	certOut, err := os.Create(filepath.Join(m.CertStore, certFile))
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to open cert file for writing: "+certFile, err)
+		return err
+	}
+	defer certOut.Close()
+	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to write certificate to file: "+certFile, err)
+		return err
+	}
+
+	// Encode private key to PEM
+	privBytes, err := x509.MarshalECPrivateKey(privKey)
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Unable to marshal ECDSA private key", err)
+		return err
+	}
+	keyOut, err := os.Create(filepath.Join(m.CertStore, keyFile))
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to open key file for writing: "+keyFile, err)
+		return err
+	}
+	defer keyOut.Close()
+	err = pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privBytes})
+	if err != nil {
+		m.Logger.PrintAndLog("tls-router", "Failed to write private key to file: "+keyFile, err)
+		return err
+	}
+	m.Logger.PrintAndLog("tls-router", "Certificate and key generated: "+certFile+", "+keyFile, nil)
+	return nil
+}

src/mod/tlscert/handler.go

@@ -0,0 +1,352 @@
+package tlscert
+
+import (
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+
+	"imuslab.com/zoraxy/mod/acme"
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+// Handle cert remove
+func (m *Manager) HandleCertRemove(w http.ResponseWriter, r *http.Request) {
+	domain, err := utils.PostPara(r, "domain")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid domain given")
+		return
+	}
+	err = m.RemoveCert(domain)
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+	}
+}
+
+// Handle download of the selected certificate
+func (m *Manager) HandleCertDownload(w http.ResponseWriter, r *http.Request) {
+	// get the certificate name
+	certname, err := utils.GetPara(r, "certname")
+	if err != nil {
+		utils.SendErrorResponse(w, "invalid certname given")
+		return
+	}
+	certname = filepath.Base(certname) //prevent path escape
+
+	// check if the cert exists
+	pubKey := filepath.Join(filepath.Join(m.CertStore), certname+".key")
+	priKey := filepath.Join(filepath.Join(m.CertStore), certname+".pem")
+
+	if utils.FileExists(pubKey) && utils.FileExists(priKey) {
+		//Zip them and serve them via http download
+		seeking, _ := utils.GetBool(r, "seek")
+		if seeking {
+			//This request only check if the key exists. Do not provide download
+			utils.SendOK(w)
+			return
+		}
+
+		//Serve both file in zip
+		zipTmpFolder := "./tmp/download"
+		os.MkdirAll(zipTmpFolder, 0775)
+		zipFileName := filepath.Join(zipTmpFolder, certname+".zip")
+		err := utils.ZipFiles(zipFileName, pubKey, priKey)
+		if err != nil {
+			http.Error(w, "Failed to create zip file", http.StatusInternalServerError)
+			return
+		}
+		defer os.Remove(zipFileName) // Clean up the zip file after serving
+
+		// Serve the zip file
+		w.Header().Set("Content-Disposition", "attachment; filename=\""+certname+"_export.zip\"")
+		w.Header().Set("Content-Type", "application/zip")
+		http.ServeFile(w, r, zipFileName)
+	} else {
+		//Not both key exists
+		utils.SendErrorResponse(w, "invalid key-pairs: private key or public key not found in key store")
+		return
+	}
+}
+
+// Handle upload of the certificate
+func (m *Manager) HandleCertUpload(w http.ResponseWriter, r *http.Request) {
+	// check if request method is POST
+	if r.Method != "POST" {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// get the key type
+	keytype, err := utils.GetPara(r, "ktype")
+	overWriteFilename := ""
+	if err != nil {
+		http.Error(w, "Not defined key type (pub / pri)", http.StatusBadRequest)
+		return
+	}
+
+	// get the domain
+	domain, err := utils.GetPara(r, "domain")
+	if err != nil {
+		//Assume localhost
+		domain = "default"
+	}
+
+	switch keytype {
+	case "pub":
+		overWriteFilename = domain + ".pem"
+	case "pri":
+		overWriteFilename = domain + ".key"
+	default:
+		http.Error(w, "Not supported keytype: "+keytype, http.StatusBadRequest)
+		return
+	}
+
+	// parse multipart form data
+	err = r.ParseMultipartForm(10 << 20) // 10 MB
+	if err != nil {
+		http.Error(w, "Failed to parse form data", http.StatusBadRequest)
+		return
+	}
+
+	// get file from form data
+	file, _, err := r.FormFile("file")
+	if err != nil {
+		http.Error(w, "Failed to get file", http.StatusBadRequest)
+		return
+	}
+	defer file.Close()
+
+	// create file in upload directory
+	os.MkdirAll(m.CertStore, 0775)
+	f, err := os.Create(filepath.Join(m.CertStore, overWriteFilename))
+	if err != nil {
+		http.Error(w, "Failed to create file", http.StatusInternalServerError)
+		return
+	}
+	defer f.Close()
+
+	// copy file contents to destination file
+	_, err = io.Copy(f, file)
+	if err != nil {
+		http.Error(w, "Failed to save file", http.StatusInternalServerError)
+		return
+	}
+
+	//Update cert list
+	m.UpdateLoadedCertList()
+
+	// send response
+	fmt.Fprintln(w, "File upload successful!")
+}
+
+// List all certificates and map all their domains to the cert filename
+func (m *Manager) HandleListDomains(w http.ResponseWriter, r *http.Request) {
+	filenames, err := os.ReadDir(m.CertStore)
+
+	if err != nil {
+		utils.SendErrorResponse(w, err.Error())
+		return
+	}
+
+	certnameToDomainMap := map[string]string{}
+	for _, filename := range filenames {
+		if filename.IsDir() {
+			continue
+		}
+		certFilepath := filepath.Join(m.CertStore, filename.Name())
+
+		certBtyes, err := os.ReadFile(certFilepath)
+		if err != nil {
+			// Unable to load this file
+			m.Logger.PrintAndLog("TLS", "Unable to load certificate: "+certFilepath, err)
+			continue
+		} else {
+			// Cert loaded. Check its expiry time
+			block, _ := pem.Decode(certBtyes)
+			if block != nil {
+				cert, err := x509.ParseCertificate(block.Bytes)
+				if err == nil {
+					certname := strings.TrimSuffix(filepath.Base(certFilepath), filepath.Ext(certFilepath))
+					for _, dnsName := range cert.DNSNames {
+						certnameToDomainMap[dnsName] = certname
+					}
+					certnameToDomainMap[cert.Subject.CommonName] = certname
+				}
+			}
+		}
+	}
+
+	requireCompact, _ := utils.GetPara(r, "compact")
+	if requireCompact == "true" {
+		result := make(map[string][]string)
+
+		for key, value := range certnameToDomainMap {
+			if _, ok := result[value]; !ok {
+				result[value] = make([]string, 0)
+			}
+
+			result[value] = append(result[value], key)
+		}
+
+		js, _ := json.Marshal(result)
+		utils.SendJSONResponse(w, string(js))
+		return
+	}
+
+	js, _ := json.Marshal(certnameToDomainMap)
+	utils.SendJSONResponse(w, string(js))
+}
+
+// Return a list of domains where the certificates covers
+func (m *Manager) HandleListCertificate(w http.ResponseWriter, r *http.Request) {
+	filenames, err := m.ListCertDomains()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	showDate, _ := utils.GetBool(r, "date")
+	if showDate {
+		type CertInfo struct {
+			Domain           string
+			LastModifiedDate string
+			ExpireDate       string
+			RemainingDays    int
+			UseDNS           bool
+		}
+
+		results := []*CertInfo{}
+
+		for _, filename := range filenames {
+			certFilepath := filepath.Join(m.CertStore, filename+".pem")
+			//keyFilepath := filepath.Join(tlsCertManager.CertStore, filename+".key")
+			fileInfo, err := os.Stat(certFilepath)
+			if err != nil {
+				utils.SendErrorResponse(w, "invalid domain certificate discovered: "+filename)
+				return
+			}
+			modifiedTime := fileInfo.ModTime().Format("2006-01-02 15:04:05")
+
+			certExpireTime := "Unknown"
+			certBtyes, err := os.ReadFile(certFilepath)
+			expiredIn := 0
+			if err != nil {
+				//Unable to load this file
+				continue
+			} else {
+				//Cert loaded. Check its expire time
+				block, _ := pem.Decode(certBtyes)
+				if block != nil {
+					cert, err := x509.ParseCertificate(block.Bytes)
+					if err == nil {
+						certExpireTime = cert.NotAfter.Format("2006-01-02 15:04:05")
+
+						duration := cert.NotAfter.Sub(time.Now())
+
+						// Convert the duration to days
+						expiredIn = int(duration.Hours() / 24)
+					}
+				}
+			}
+			certInfoFilename := filepath.Join(m.CertStore, filename+".json")
+			useDNSValidation := false                                //Default to false for HTTP TLS certificates
+			certInfo, err := acme.LoadCertInfoJSON(certInfoFilename) //Note: Not all certs have info json
+			if err == nil {
+				useDNSValidation = certInfo.UseDNS
+			}
+
+			thisCertInfo := CertInfo{
+				Domain:           filename,
+				LastModifiedDate: modifiedTime,
+				ExpireDate:       certExpireTime,
+				RemainingDays:    expiredIn,
+				UseDNS:           useDNSValidation,
+			}
+
+			results = append(results, &thisCertInfo)
+		}
+
+		// convert ExpireDate to date object and sort asc
+		sort.Slice(results, func(i, j int) bool {
+			date1, _ := time.Parse("2006-01-02 15:04:05", results[i].ExpireDate)
+			date2, _ := time.Parse("2006-01-02 15:04:05", results[j].ExpireDate)
+			return date1.Before(date2)
+		})
+
+		js, _ := json.Marshal(results)
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(js)
+		return
+	}
+
+	response, err := json.Marshal(filenames)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(response)
+}
+
+// Check if the default certificates is correctly setup
+func (m *Manager) HandleDefaultCertCheck(w http.ResponseWriter, r *http.Request) {
+	type CheckResult struct {
+		DefaultPubExists bool
+		DefaultPriExists bool
+	}
+
+	pub, pri := m.DefaultCertExistsSep()
+	js, _ := json.Marshal(CheckResult{
+		pub,
+		pri,
+	})
+
+	utils.SendJSONResponse(w, string(js))
+}
+
+func (m *Manager) HandleSelfSignCertGenerate(w http.ResponseWriter, r *http.Request) {
+	// Get the common name from the request
+	cn, err := utils.GetPara(r, "cn")
+	if err != nil {
+		utils.SendErrorResponse(w, "Common name not provided")
+		return
+	}
+
+	domains, err := utils.PostPara(r, "domains")
+	if err != nil {
+		//No alias domains provided, use the common name as the only domain
+		domains = "[]"
+	}
+
+	SANs := []string{}
+	if err := json.Unmarshal([]byte(domains), &SANs); err != nil {
+		utils.SendErrorResponse(w, "Invalid domains format: "+err.Error())
+		return
+	}
+	//SANs = append([]string{cn}, SANs...)
+	priKeyFilename := domainToFilename(cn, ".key")
+	pubKeyFilename := domainToFilename(cn, ".pem")
+
+	// Generate self-signed certificate
+	err = m.GenerateSelfSignedCertificate(cn, SANs, pubKeyFilename, priKeyFilename)
+	if err != nil {
+		utils.SendErrorResponse(w, "Failed to generate self-signed certificate: "+err.Error())
+		return
+	}
+
+	//Update the certificate store
+	err = m.UpdateLoadedCertList()
+	if err != nil {
+		utils.SendErrorResponse(w, "Failed to update certificate store: "+err.Error())
+		return
+	}
+	utils.SendOK(w)
+}

src/mod/tlscert/helper.go

@@ -43,3 +43,30 @@ func matchClosestDomainCertificate(subdomain string, domains []string) string {
 
 	return matchingDomain
 }
+
+// Convert a domain name to a filename format
+func domainToFilename(domain string, ext string) string {
+	// Replace wildcard '*' with '_'
+	domain = strings.TrimSpace(domain)
+	if strings.HasPrefix(domain, "*") {
+		domain = "_" + strings.TrimPrefix(domain, "*")
+	}
+
+	// Add .pem extension
+	ext = strings.TrimPrefix(ext, ".") // Ensure ext does not start with a dot
+	return domain + "." + ext
+}
+
+func filenameToDomain(filename string) string {
+	// Remove the extension
+	ext := filepath.Ext(filename)
+	if ext != "" {
+		filename = strings.TrimSuffix(filename, ext)
+	}
+
+	if strings.HasPrefix(filename, "_") {
+		filename = "*" + filename[1:]
+	}
+
+	return filename
+}

src/mod/tlscert/tlscert.go

@@ -21,10 +21,10 @@ type CertCache struct {
 }
 
 type HostSpecificTlsBehavior struct {
-	DisableSNI                       bool   //If SNI is enabled for this server name
-	DisableLegacyCertificateMatching bool   //If legacy certificate matching is disabled for this server name
-	EnableAutoHTTPS                  bool   //If auto HTTPS is enabled for this server name
-	PreferredCertificate             string //Preferred certificate for this server name, if empty, use the first matching certificate
+	DisableSNI                       bool              //If SNI is enabled for this server name
+	DisableLegacyCertificateMatching bool              //If legacy certificate matching is disabled for this server name
+	EnableAutoHTTPS                  bool              //If auto HTTPS is enabled for this server name
+	PreferredCertificate             map[string]string //Preferred certificate for this server name, if empty, use the first matching certificate
 }
 
 type Manager struct {
@@ -34,13 +34,12 @@ type Manager struct {
 
 	/* External handlers */
 	hostSpecificTlsBehavior func(serverName string) (*HostSpecificTlsBehavior, error) // Function to get host specific TLS behavior, if nil, use global TLS options
-	verbal                  bool
 }
 
 //go:embed localhost.pem localhost.key
 var buildinCertStore embed.FS
 
-func NewManager(certStore string, verbal bool, logger *logger.Logger) (*Manager, error) {
+func NewManager(certStore string, logger *logger.Logger) (*Manager, error) {
 	if !utils.FileExists(certStore) {
 		os.MkdirAll(certStore, 0775)
 	}
@@ -63,7 +62,6 @@ func NewManager(certStore string, verbal bool, logger *logger.Logger) (*Manager,
 		CertStore:               certStore,
 		LoadedCerts:             []*CertCache{},
 		hostSpecificTlsBehavior: defaultHostSpecificTlsBehavior, //Default to no SNI and no auto HTTPS
-		verbal:                  verbal,
 		Logger:                  logger,
 	}
 
@@ -82,7 +80,7 @@ func GetDefaultHostSpecificTlsBehavior() *HostSpecificTlsBehavior {
 		DisableSNI:                       false,
 		DisableLegacyCertificateMatching: false,
 		EnableAutoHTTPS:                  false,
-		PreferredCertificate:             "",
+		PreferredCertificate:             map[string]string{}, // No preferred certificate, use the first matching certificate
 	}
 }
 
@@ -90,6 +88,10 @@ func defaultHostSpecificTlsBehavior(serverName string) (*HostSpecificTlsBehavior
 	return GetDefaultHostSpecificTlsBehavior(), nil
 }
 
+func (m *Manager) SetHostSpecificTlsBehavior(fn func(serverName string) (*HostSpecificTlsBehavior, error)) {
+	m.hostSpecificTlsBehavior = fn
+}
+
 // Update domain mapping from file
 func (m *Manager) UpdateLoadedCertList() error {
 	//Get a list of certificates from file
@@ -213,13 +215,17 @@ func (m *Manager) GetCertificateByHostname(hostname string) (string, string, err
 	if err != nil {
 		tlsBehavior, _ = defaultHostSpecificTlsBehavior(hostname)
 	}
+	preferredCertificate, ok := tlsBehavior.PreferredCertificate[hostname]
+	if !ok {
+		preferredCertificate = ""
+	}
 
-	if tlsBehavior.DisableSNI && tlsBehavior.PreferredCertificate != "" &&
-		utils.FileExists(filepath.Join(m.CertStore, tlsBehavior.PreferredCertificate+".pem")) &&
-		utils.FileExists(filepath.Join(m.CertStore, tlsBehavior.PreferredCertificate+".key")) {
+	if tlsBehavior.DisableSNI && preferredCertificate != "" &&
+		utils.FileExists(filepath.Join(m.CertStore, preferredCertificate+".pem")) &&
+		utils.FileExists(filepath.Join(m.CertStore, preferredCertificate+".key")) {
 		//User setup a Preferred certificate, use the preferred certificate directly
-		pubKey = filepath.Join(m.CertStore, tlsBehavior.PreferredCertificate+".pem")
-		priKey = filepath.Join(m.CertStore, tlsBehavior.PreferredCertificate+".key")
+		pubKey = filepath.Join(m.CertStore, preferredCertificate+".pem")
+		priKey = filepath.Join(m.CertStore, preferredCertificate+".key")
 	} else {
 		if !tlsBehavior.DisableLegacyCertificateMatching &&
 			utils.FileExists(filepath.Join(m.CertStore, hostname+".pem")) &&