Multi-certificate, SNI matching with exact map and suffix tree
Add support for multiple TLS certificates with SNI-based selection. The
root provider maintains a single centralized SNI matcher that uses an
exact match map for O(1) lookups, falling back to a suffix tree for
wildcard matching.
Key features:
- Add `Extra []Config` field to autocert.Config for additional certificates
- Each extra entry must specify unique `cert_path` and `key_path`
- Extra certs inherit main config (except `email` and `extra` fields)
- Extra certs participate in ACME obtain/renew cycles independently
- SNI selection precedence: exact match > wildcard match, main > extra
- Single centralized SNI matcher on root provider rebuilt after cert changes
The SNI matcher structure:
- Exact match map: O(1) lookup for exact domain matches
- Suffix tree: Efficient wildcard matching (e.g., *.example.com)
Implementation details:
- Provider.GetCert() now uses SNI from ClientHelloInfo for selection
- Main cert is returned as fallback when no SNI match is found
- Extra providers are created as child providers with merged configs
- SNI matcher is rebuilt after Setup() and after ObtainCert() completes
* refactor: simplify io code and make utils module independent
* fix(docker): agent and socket-proxy docker event flushing with modified reverse proxy handler
* refactor: remove unused code
* refactor: remove the use of logging module in most code
* refactor: streamline domain mismatch check in certState function
* tweak: use ecdsa p-256 for autocert
* fix(tests): update health check tests for invalid host and add case for port in host
* feat(acme): custom acme directory
* refactor: code refactor and improved context and error handling
* tweak: optimize memory usage under load
* fix(oidc): restore old user matching behavior
* docs: add ChatGPT assistant to README
---------
Co-authored-by: yusing <yusing@6uo.me>
