Hello Willian, Thank you for your response.
I fear that strict-sni won’t get us far. The issue is that the SNI is just fine (it is in the crt-list), however we also need to check if the host-header is part of the crt-list. E.g. curl https://my-host.domain.com<https://my-host.domain.com/> -H “host: other-host.otherdomain.com” so here we check for the SNI “my-host.domain.com” automatically via crt-list. but in the next step we select the backend based on the host-header, but only if it also is present in the crt-list (which we use as a list of valid domains hosted on the platform) so based on what you said we can’t do that, we would do something like http-request set-var(txn.forwarded_host) req.hdr(host),host_only,lower acl is_known_domain var(txn.forwarded_host),map_dom(/domains.map) -m found http request-deny if ! is_known_domain where /domains.map is basically a copy of the crt-list like that: *.domain.com 1 *.otherdomain.com 1 So, this works, though it is ugly because I need to do double-maintenance of the crt-list. Even if I used strict-sni, you could still run into the issue that SNI is on the crt-list, but the host-header is not. From: William Lallemand <[email protected]> Date: Wednesday, 3. April 2024 at 11:31 To: Froehlich, Dominik <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: How to check if a domain is known to HAProxy On Wed, Apr 03, 2024 at 07:47:44AM +0000, Froehlich, Dominik wrote: > Subject: How to check if a domain is known to HAProxy > Hello everyone, > > This may be kind of a peculiar request. > > We have the need to block requests that are not in the crt-list of our > frontend. > > So, the expectation would be that HAProxy does a lookup of the domain (as it > does for the crt-list entry) but for domain-fronted requests, i.e. we have to > check both the SNI and the host header. > > What makes it difficult is that we still want to allow domain-fronting, but > only if the host header also matches an entry in the crt-list. > > At the moment, I don’t see any way of doing this programmatically, and the > crt-list lookup based on the SNI is completely within HAProxy logic. > > Is there any way to access the crt-list via an ACL or similar? The > alternative would be to maintain the list twice and add it as a map or list > to the HAProxy config and then maybe do a custom host matching via LUA script > etc. but I really would like to avoid that. > > Any hints from the community? > Hello, You can't access the crt-list from the ACL, however if you are using the `strict-sni` keyword, you will be sure that the requested SNI will be in your crt-list. And then you can compare the host header with the SNI. There is an example in the strcmp keyword documentation: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.haproxy.org%2F2.9%2Fconfiguration.html%23strcmp&data=05%7C02%7Cdominik.froehlich%40sap.com%7Cef9d69783ff54043a83708dc53c0deae%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638477335041142353%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=d8jyQKbe7ODqCI%2BCklprFW9LC67b5yXwHHJYJEQhRGk%3D&reserved=0<https://docs.haproxy.org/2.9/configuration.html#strcmp> Regards, -- William Lallemand
