Hi Mildis (and this time the list too),
Mildis wrote:
> Is there a simple way to limit TLS domain fronting by forcing SNI and Host
> header to be the same ?
> Maybe add an optional parameter like "strict_sni_host" ?
You can do a little trick here to enforce this without having to rely on
additional code in HAProxy.
What you can do is to build a new temporary HTTP header which contains
the concatenated values of the HTTP host header and the SNI server name
value. Using a regular expression, you can then check that the two
values are the same.
This approach is a bit special since regular expressions (or generally
any compared value) needs to be static in HAProxy can can't contain
dynamically generated values.
I often the following configuration snippet in my frontends (probably
remove newlines added in this mail):
# Enforce that the TLS SNI field (if provided) matches the HTTP hostname
# This is a bit "hacky" as HAProxy neither allows to compare two
# headers directly nor allows dynamic patterns in general. Thus, we
# concatenate the HTTP Header and the SNI field in an internal header
# and check if the same value is repeated in that header.
http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if {
ssl_fc_has_sni }
# This needs to be a named capture because of "reasons". Backreferences
# to normal captures are rejected by (my version of) HAProxy
http-request deny if { ssl_fc_has_sni } ! { hdr(X-CHECKSNI) -m reg -i
^(?.+)==\1$ }
# Cleanup after us
http-request del-header X-CHECKSNI
Cheers, Holger
