On Fri, May 17, 2019 at 09:23:59PM +0200, Tim Düsterhus wrote: > Willy: I wonder if that's something HAProxy itself should detect: When a > client certificate is provided for a connection and the Host header does > not match the SNI then an 421 is sent automatically (that behaviour of > course being configurable).
I wanted to do that first, until I figured it will break forward proxies over TLS : the client sets up a TLS connection to reach the proxy server, then sends request for the target host. In this case the TLS connection is for the proxy and will not match the host name. However I definitely am in favor of making it easy to perform a simple check using a single rule and the least possible configuration. I think that restarting from the ssl_sni_check that Moemen proposed and that we discussed in the other thread is an appropriate way to deal with this. Willy
