Hi Mildis (and this time the list too), Mildis wrote: > Is there a simple way to limit TLS domain fronting by forcing SNI and Host > header to be the same ? > Maybe add an optional parameter like "strict_sni_host" ?
You can do a little trick here to enforce this without having to rely on additional code in HAProxy. What you can do is to build a new temporary HTTP header which contains the concatenated values of the HTTP host header and the SNI server name value. Using a regular expression, you can then check that the two values are the same. This approach is a bit special since regular expressions (or generally any compared value) needs to be static in HAProxy can can't contain dynamically generated values. I often the following configuration snippet in my frontends (probably remove newlines added in this mail): # Enforce that the TLS SNI field (if provided) matches the HTTP hostname # This is a bit "hacky" as HAProxy neither allows to compare two # headers directly nor allows dynamic patterns in general. Thus, we # concatenate the HTTP Header and the SNI field in an internal header # and check if the same value is repeated in that header. http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if { ssl_fc_has_sni } # This needs to be a named capture because of "reasons". Backreferences # to normal captures are rejected by (my version of) HAProxy http-request deny if { ssl_fc_has_sni } ! { hdr(X-CHECKSNI) -m reg -i ^(?.+)==\1$ } # Cleanup after us http-request del-header X-CHECKSNI Cheers, Holger