nginx · ciarams87 · Feb 25, 2026 · Mar 2, 2026 · Mar 4, 2026 · Mar 11, 2026
@@ -16,8 +16,8 @@ You can view the [Milestone Roadmap](https://github.com/orgs/nginx/projects/10/v
 | [Gateway]({{< ref "/ngf/overview/gateway-api-compatibility.md#gateway" >}})                   | Supported     | Partially supported    | Not supported       | v1          | Standard     |
 | [HTTPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#httproute" >}})               | Supported     | Partially supported    | Not supported       | v1          | Standard     |
 | [GRPCRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#grpcroute" >}})               | Supported     | Partially supported    | Not supported       | v1          | Standard     |
-| [ReferenceGrant]({{< ref "/ngf/overview/gateway-api-compatibility.md#referencegrant" >}})     | Supported     | N/A                    | Not supported       | v1beta1     | Standard     |
-| [TLSRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tlsroute" >}})                 | Supported     | Not supported          | Not supported       | v1alpha2    | Experimental |
+| [ReferenceGrant]({{< ref "/ngf/overview/gateway-api-compatibility.md#referencegrant" >}})     | Supported     | N/A                    | Not supported       | v1          | Standard     |
+| [TLSRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tlsroute" >}})                 | Supported     | Not supported          | Not supported       | v1          | Standard |
 | [TCPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tcproute" >}})                 | Supported | Supported          | Not supported       | v1alpha2    | Experimental |
 | [UDPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#udproute" >}})                 | Supported | Supported          | Not supported       | v1alpha2    | Experimental |
 | [BackendTLSPolicy]({{< ref "/ngf/overview/gateway-api-compatibility.md#backendtlspolicy" >}}) | Partially supported     | Supported              | Partially supported | v1          | Standard     |

@@ -0,0 +1,14 @@
+---
+nd-product: FABRIC
+---
+
+## HTTPS Traffic without SNI (Server Name Indication)
+
+Some frontend load balancers strip out SNI information before the traffic reaches the NGINX gateway. In order for NGINX to still process and forward this traffic properly, you must define your HTTPS Listener without a hostname. This instructs NGINX Gateway Fabric to configure a default HTTPS virtual server to handle non-SNI traffic. The TLS configuration on this Listener will be used to verify and terminate TLS for this traffic, before the Host header is then used to forward to the proper virtual server to handle the request. You can attach your HTTPRoutes to this empty Listener.
+
+By default, NGINX Gateway Fabric verifies that the Listener hostname matches both the SNI and Host header on an incoming client request. This does not require the SNI and Host header to be the same. This is to avoid misdirected requests, and returns a 421 response code. If you run into issues and want to disable this SNI/Host verification, you can update the [NginxProxy CRD]({{< ref "/ngf/how-to/data-plane-configuration.md" >}}) with the following field in the spec:
+
+```yaml
+spec:
+  disableSNIHostValidation: true
+```
@@ -16,8 +16,6 @@ The project's goal is to improve and standardize routing to inference workloads
 
 Coupled with the provided Endpoint Picker Service, NGINX Gateway Fabric becomes an [Inference Gateway](https://gateway-api-inference-extension.sigs.k8s.io/#concepts-and-definitions), with additional AI specific traffic management features such as model-aware routing, serving priority for models, model rollouts, and more. 
 
-{{< call-out "warning" >}} The Gateway API Inference Extension is still in alpha status and should not be used in production yet.{{< /call-out >}}
-
 ## Set up
 
 Install the Gateway API Inference Extension CRDs:
@@ -67,7 +65,7 @@ Install an InferencePool named `vllm-llama3-8b-instruct` that selects from endpo
 
 NGINX will query the Endpoint Picker Extension to determine the appropriate pod endpoint to route traffic to. These pods are selected from a pool of ready pods designated by the assigned InferencePool's Selector field. For more information on the [Endpoint Picker](https://github.com/kubernetes-sigs/gateway-api-inference-extension/blob/main/pkg/epp/README.md).
 
-{{< call-out "warning" >}} The Endpoint Picker Extension is a third-party application written and provided by the Gateway API Inference Extension project. Communication between NGINX and the Endpoint Picker uses TLS with certificate verification disabled by default, as the Endpoint Picker does not currently support mounting CA certificates. The Gateway API Inference Extension is in alpha status and should not be used in production. NGINX Gateway Fabric is not responsible for any threats or risks associated with using this third-party Endpoint Picker Extension application. {{< /call-out >}}
+{{< call-out "warning" >}} The Endpoint Picker Extension is a third-party application written and provided by the Gateway API Inference Extension project. Communication between NGINX and the Endpoint Picker uses TLS with certificate verification disabled by default, as the Endpoint Picker does not currently support mounting CA certificates. NGINX Gateway Fabric is not responsible for any threats or risks associated with using this third-party Endpoint Picker Extension application. {{< /call-out >}}
 
 ```shell
 export IGW_CHART_VERSION=v1.1.0

@@ -57,12 +57,14 @@ NGINX Gateway Fabric supports a single GatewayClass resource configured with the
 - `status`
   - `conditions` - supported (Condition/Status/Reason):
     - `Accepted/True/Accepted`
-    - `Accepted/False/InvalidParameters`
+    - `Accepted/True/InvalidParameters`
     - `Accepted/False/UnsupportedVersion`
-    - `Accepted/False/GatewayClassConflict`: Custom reason for when the GatewayClass references this controller, but
-          a different GatewayClass name is provided to the controller via the command-line argument.
+    - `Accepted/False/GatewayClassConflict`
     - `SupportedVersion/True/SupportedVersion`
     - `SupportedVersion/False/UnsupportedVersion`
+    - `ResolvedRefs/True/ResolvedRefs`
+    - `ResolvedRefs/False/ParametersRefNotFound`
+    - `ResolvedRefs/False/ParametersRefInvalid`
   - `supportedFeatures` - supported.
 
 ### Gateway
@@ -110,12 +112,22 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command
   - `conditions`: Supported (Condition/Status/Reason):
     - `Accepted/True/Accepted`
     - `Accepted/True/ListenersNotValid`
+    - `Accepted/True/InvalidParameters`
+    - `Accepted/True/UnsupportedField`
     - `Accepted/False/ListenersNotValid`
     - `Accepted/False/Invalid`
-    - `Accepted/False/UnsupportedValue`: Custom reason for when a value of a field in a Gateway is invalid or not supported.
+    - `Accepted/False/UnsupportedValue`
+    - `Accepted/False/UnsupportedAddress`
     - `Programmed/True/Programmed`
     - `Programmed/False/Invalid`
-    - `Accepted/True/UnsupportedField`: Custom reason for when the Gateway is accepted but contains an unsupported field
+    - `Programmed/False/UnsupportedValue`
+    - `Programmed/False/AddressNotUsable`
+    - `Programmed/False/AddressNotAssigned`
+    - `ResolvedRefs/True/ResolvedRefs`
+    - `ResolvedRefs/False/ParametersRefNotFound`
+    - `ResolvedRefs/False/ParametersRefInvalid`
+    - `ResolvedRefs/False/InvalidClientCertificateRef`
+    - `ResolvedRefs/False/RefNotPermitted`
   - `listeners`
     - `name`: Supported.
     - `supportedKinds`: Supported.
@@ -126,7 +138,8 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command
       - `Accepted/False/InvalidCertificateRef`
       - `Accepted/False/ProtocolConflict`
       - `Accpeted/False/HostnameConflict`
-      - `Accepted/False/UnsupportedValue`: Custom reason for when a value of a field in a Listener is invalid or not supported.
+      - `Accepted/False/UnsupportedValue`
+      - `Accepted/False/RefNotPermitted`
       - `Programmed/True/Programmed`
       - `Programmed/False/Invalid`
       - `ResolvedRefs/True/ResolvedRefs`
@@ -165,7 +178,8 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command
       - `urlRewrite`: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest. Incompatible with `requestRedirect`.
       - `responseHeaderModifier`: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest.
       - `requestMirror`: Supported. Multiple mirrors can be specified. Percent and fraction-based mirroring are supported.
-      - `extensionRef`: Supported for SnippetsFilters.
+      - `cors`: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest.
+      - `extensionRef`: Supported for SnippetsFilters and AuthenticationFilters.
     - `backendRefs`: Partially supported. Backend ref `filters` are not supported.
     - `name`: Not supported.
     - `timeouts`: Not supported.
@@ -177,23 +191,27 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command
     - `controllerName`: Supported.
     - `conditions`: Partially supported. Supported (Condition/Status/Reason):
       - `Accepted/True/Accepted`
+      - `Accepted/True/UnsupportedField`
       - `Accepted/False/NoMatchingListenerHostname`
       - `Accepted/False/NoMatchingParent`
       - `Accepted/False/NotAllowedByListeners`
-      - `Accepted/False/UnsupportedValue`: Custom reason for when the HTTPRoute includes an invalid or unsupported value.
-      - `Accepted/False/InvalidListener`: Custom reason for when the HTTPRoute references an invalid listener.
-      - `Accepted/False/GatewayIgnored`: Custom reason for when the Gateway is ignored by NGINX Gateway Fabric. NGINX Gateway Fabric only supports one Gateway.
+      - `Accepted/False/UnsupportedValue`
+      - `Accepted/False/InvalidListener`
+      - `Accepted/False/HostnameConflict`
+      - `Accepted/False/MultipleRoutesOnListener`
+      - `Accepted/False/InvalidGateway`
       - `ResolvedRefs/True/ResolvedRefs`
       - `ResolvedRefs/False/InvalidKind`
       - `ResolvedRefs/False/RefNotPermitted`
       - `ResolvedRefs/False/BackendNotFound`
-      - `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the HTTPRoute rules has a backendRef with an unsupported value.
-      - `ResolvedRefs/False/InvalidIPFamily`: Custom reason for when one of the HTTPRoute rules has a backendRef that has an invalid IPFamily.
+      - `ResolvedRefs/False/UnsupportedValue`
+      - `ResolvedRefs/False/InvalidIPFamily`
       - `ResolvedRefs/False/UnsupportedProtocol`
+      - `ResolvedRefs/False/InvalidFilter`
+      - `ResolvedRefs/False/InvalidInferencePool`
       - `PartiallyInvalid/True/UnsupportedValue`
-      - `Accepted/True/UnsupportedField`: Custom reason for when the HTTPRouteRule is accepted but contains an unsupported field
 
-      {{< call-out "note" >}} If `name`, `timeouts`, `retry` or `sessionPersistence` are defined for a HTTPRoute rule, they will be ignored and rule still will be created. {{< /call-out >}}
+      {{< call-out "note" >}} If `name`, `timeouts`, or `retry` are defined for a HTTPRoute rule, they will be ignored and rule still will be created. {{< /call-out >}}
 
 ### GRPCRoute
 
@@ -229,41 +247,47 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command
     - `controllerName`: Supported.
     - `conditions`: Partially supported. Supported (Condition/Status/Reason):
       - `Accepted/True/Accepted`
+      - `Accepted/True/UnsupportedField`
       - `Accepted/False/NoMatchingListenerHostname`
       - `Accepted/False/NoMatchingParent`
       - `Accepted/False/NotAllowedByListeners`
-      - `Accepted/False/UnsupportedValue`: Custom reason for when the GRPCRoute includes an invalid or unsupported value.
-      - `Accepted/False/InvalidListener`: Custom reason for when the GRPCRoute references an invalid listener.
+      - `Accepted/False/UnsupportedValue`
+      - `Accepted/False/InvalidListener`
+      - `Accepted/False/HostnameConflict`
+      - `Accepted/False/MultipleRoutesOnListener`
+      - `Accepted/False/InvalidGateway`
+      - `Accepted/False/UnsupportedConfiguration`
       - `ResolvedRefs/True/ResolvedRefs`
       - `ResolvedRefs/False/InvalidKind`
       - `ResolvedRefs/False/RefNotPermitted`
       - `ResolvedRefs/False/BackendNotFound`
-      - `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the GRPCRoute rules has a backendRef with an unsupported value.
+      - `ResolvedRefs/False/UnsupportedValue`
+      - `ResolvedRefs/False/InvalidIPFamily`
+      - `ResolvedRefs/False/UnsupportedProtocol`
+      - `ResolvedRefs/False/InvalidFilter`
       - `PartiallyInvalid/True/UnsupportedValue`
-      - `Accepted/True/UnsupportedField`: Custom reason for when the GRPCRouteRule is accepted but contains an unsupported field
 
-{{< call-out "note" >}} If `name` or `sessionPersistence` are defined for a GRPCRoute rule, they will be ignored and rule still will be created. {{< /call-out >}}
+{{< call-out "note" >}} If `name` is defined for a GRPCRoute rule, it will be ignored and rule still will be created. {{< /call-out >}}
 
 ### ReferenceGrant
 
 {{< table >}}
 
 | Resource       | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel |
 |----------------|--------------------|------------------------|---------------------------------------|-------------|---------------------|
-| ReferenceGrant | Supported          | N/A                    | Not supported                         | v1beta1     | Standard            |
-
+| ReferenceGrant | Supported          | N/A                    | Not supported                         | v1          | Standard            |
 {{< /table >}}
 
 Fields:
 
 - `spec`
   - `to`
     - `group` - supported.
-    - `kind` - supports `Secret` and `Service`.
+    - `kind` - supported.
     - `name`- supported.
   - `from`
     - `group` - supported.
-    - `kind` - supports `Gateway` and `HTTPRoute`.
+    - `kind` - supported.
     - `namespace`- supported.
 
 ### TLSRoute
@@ -272,8 +296,7 @@ Fields:
 
 | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel |
 |----------|--------------------|------------------------|---------------------------------------|-------------|---------------------|
-| TLSRoute | Supported          | Not supported          | Not supported                         | v1alpha2    | Experimental        |
-
+| TLSRoute | Supported          | Not supported          | Not supported                         | v1          | Standard            |
 {{< /table >}}
 
 **Fields**:
@@ -293,14 +316,14 @@ Fields:
       - `Accepted/False/NoMatchingListenerHostname`
       - `Accepted/False/NoMatchingParent`
       - `Accepted/False/NotAllowedByListeners`
-      - `Accepted/False/UnsupportedValue`: Custom reason for when the TLSRoute includes an invalid or unsupported value.
-      - `Accepted/False/InvalidListener`: Custom reason for when the TLSRoute references an invalid listener.
-      - `Accepted/False/HostnameConflict`: Custom reason for when the TLSRoute has a hostname that conflicts with another TLSRoute on the same port.
+      - `Accepted/False/UnsupportedValue`
+      - `Accepted/False/InvalidListener`
+      - `Accepted/False/HostnameConflict`
       - `ResolvedRefs/True/ResolvedRefs`
       - `ResolvedRefs/False/InvalidKind`
       - `ResolvedRefs/False/RefNotPermitted`
       - `ResolvedRefs/False/BackendNotFound`
-      - `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the TLSRoute rules has a backendRef with an unsupported value.
+      - `ResolvedRefs/False/UnsupportedValue`
       - `PartiallyInvalid/True/UnsupportedValue`
 
 ### TCPRoute

@@ -106,7 +106,7 @@ To create the **access-to-cafe-secret** referencegrant, copy and paste the follo
 
 ```yaml
 kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: ReferenceGrant
 metadata:
   name: access-to-cafe-secret
@@ -276,8 +276,12 @@ Server address: 10.244.0.6:80
 Server name: coffee-6b8b6d6486-7fc78
 ```
 
+{{< include "ngf/sni-https.md" >}}
+
 ## See also
 
+To set up a production-ready integration with cert-manager for HTTPS traffic, see the [Secure traffic using Let's Encrypt]({{< ref "/ngf/traffic-security/integrate-cert-manager.md" >}}) guide.
+
 To learn more about redirects using the Gateway API, see the following resource:
 
 - [Gateway API Redirects](https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/)
@@ -367,4 +367,4 @@ To learn more about the Gateway API and the resources we created in this guide,
 
 - [Gateway API Overview](https://gateway-api.sigs.k8s.io/concepts/api-overview/)
 - [Deploying a simple Gateway](https://gateway-api.sigs.k8s.io/guides/simple-gateway/)
-- [HTTP Routing](https://gateway-api.sigs.k8s.io/guides/http-routing/)
+- [Gateway API HTTP Header Modifier](https://gateway-api.sigs.k8s.io/guides/http-header-modifier/)
@@ -297,3 +297,4 @@ Requests sent to port `${GW_PORT_1}` (listener `coffee`) are served by the coffe
 ## Further Readings
 
 - [TCPRoute](https://gateway-api.sigs.k8s.io/reference/spec/#tcproute)
+- [Gateway API TCP routing](https://gateway-api.sigs.k8s.io/guides/tcp/)
@@ -11,17 +11,11 @@ Learn how to use TLSRoutes to configure TLS passthrough load-balancing with NGIN
 
 ## Overview
 
-In this guide, we will show how to configure TLS passthrough for your application, using a [TLSRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute).
-
-## Note on Gateway API Experimental Features
-
-{{< call-out "important" >}} TLSRoute is a Gateway API resource from the experimental release channel. {{< /call-out >}}
-
-{{< include "/ngf/installation/install-gateway-api-experimental-features.md" >}}
+In this guide, we will show how to configure TLS passthrough for your application, using a [TLSRoute](https://gateway-api.sigs.k8s.io/reference/spec/#tlsroute).
 
 ## Before you begin
 
-- [Install]({{< ref "/ngf/install/" >}}) NGINX Gateway Fabric with experimental features enabled.
+- [Install]({{< ref "/ngf/install/" >}}) NGINX Gateway Fabric.
 
 ## Set up
 
@@ -129,7 +123,7 @@ Create a Gateway. This will create a TLS listener with the hostname `*.example.c
 
 ```yaml
 kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
   name: gateway
@@ -200,7 +194,7 @@ Create a TLSRoute that attaches to the Gateway and routes requests to `app.examp
 
 ```yaml
 kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1
 kind: TLSRoute
 metadata:
   name: tls-secure-app-route
@@ -218,7 +212,7 @@ spec:
 EOF
 ```
 
-{{< call-out "note" >}}To route to a Service in a Namespace different from the TLSRoute Namespace, create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.ReferenceGrant) to permit the cross-namespace reference. {{< /call-out >}}
+{{< call-out "note" >}}To route to a Service in a Namespace different from the TLSRoute Namespace, create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#referencegrant) to permit the cross-namespace reference. {{< /call-out >}}
 
 ## Send traffic
 
@@ -270,3 +264,9 @@ hello from pod secure-app-575785644-kzqf6
 ```
 
 Note that the server certificate used to terminate the TLS connection has the subject common name of `app.example.com`. This is the server certificate that the `secure-app` is configured with and shows that the TLS connection was terminated by the `secure-app`, not NGINX Gateway Fabric.
+
+## See also
+
+To learn more about TLS routing using the Gateway API, see the following resource:
+
+- [Gateway API TLS routing](https://gateway-api.sigs.k8s.io/guides/tls-routing/)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -297,3 +297,4 @@ Requests sent to port `${GW_PORT_1}` (listener `coffee`) are served by the coffe
		## Further Readings

		- [TCPRoute](https://gateway-api.sigs.k8s.io/reference/spec/#tcproute)
		- [Gateway API TCP routing](https://gateway-api.sigs.k8s.io/guides/tcp/)