Willy, Am 27.04.2018 um 06:39 schrieb Willy Tarreau: > I'd proceed differently I think. Just like we do have arithmetic operators > support variables as arguments, we could have string operators like strcmp() > which would support a variable as well. Then you could simply put your SNI > into a variable, and compare the host field with this variable. >
Okay, first stab at a patch coming after this mail. >> Personally I require SNI for everything and select the >> backends based on SNI and not the Host header. > > This is dangerous because it's not what the backend servers will do, > so you need to keep this in mind to ensure you never switch to the > wrong place. Also as Lukas explained, when some certs overlap, you'll > only have the SNI matching the first Host. Apparently in your case it's > not an issue since you exactly compare them. Normally the reliable way > of doing it would be to ensure that SNI is valid (eg when you have to > check a client cert) but still rely on Host for routing. > In my case it is fine, because I don't use SAN certificates at all. Every single certificate is valid for a single host only. Putting multiple hosts into a certificate was a maintenance nightmare from my point of view (the file name does not fully specify the contents). In case of connection re-use for SAN certificates my patch won't be sufficient, because one is not able to determine the other SANs in the certificate used. To combat with this issue I also added support for the "HTTP 421 Misdirected Request" header, which, according to the specification, forces the user agent to retry the request using a fresh connection. Something like this should do the right thing (but I did not check this with browsers, because it does not apply to me): > http-request set-var(txn.host) hdr(host) > acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 > http-request deny deny_status 421 if ! ssl_sni_http_host_match Best regards Tim Duesterhus (2): MINOR: sample: Add strcmp sample converter MINOR: http: Add support for 421 Misdirected Request doc/configuration.txt | 15 ++++++++++++ include/types/proto_http.h | 1 + src/proto_http.c | 11 +++++++++ src/sample.c | 49 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 76 insertions(+) -- 2.17.0
