Add wildcard SNI matching

README.md

@@ -31,6 +31,13 @@ $ cargo install l4p
 
 Or you can download binary file form the Release page.
 
+## Features
+
+- Listen on specific port and proxy to local or remote port
+- SNI-based rule without terminating TLS connection
+- Wildcard SNI matching with DNS-style longest-suffix-match
+- DNS-based backend with periodic resolution
+
 ## Configuration
 
 `l4p` will read yaml format configuration file from `/etc/l4p/l4p.yaml`, and you can set custom path to environment variable `L4P_CONFIG`, here is an minimal viable example:
@@ -55,6 +62,14 @@ There are two upstreams built in:
 
 For detailed configuration, check [this example](./config.yaml.example).
 
+### SNI Matching
+
+The proxy supports both exact and wildcard SNI patterns in the `sni` config. Wildcards use DNS-style longest-suffix-match: more specific patterns take precedence. For example, with `*.example.com` and `*.api.example.com`, request `api.example.com` matches the first, while `v2.api.example.com` matches the second.
+
+Wildcards are validated against the Public Suffix List (PSL). Known suffixes (`.com`, `.org`) require at least one label below the suffix (`*.example.com` OK, `*.com` rejected). Unknown suffixes (`.local`, `.lan`) are allowed without restriction.
+
+Invalid wildcard patterns are rejected at config load time with clear error messages.
+
 ## Thanks
 
 - [`fourth`](https://crates.io/crates/fourth), of which this is a heavily modified fork.