Hello everyone, This may be kind of a peculiar request.
We have the need to block requests that are not in the crt-list of our frontend. So, the expectation would be that HAProxy does a lookup of the domain (as it does for the crt-list entry) but for domain-fronted requests, i.e. we have to check both the SNI and the host header. What makes it difficult is that we still want to allow domain-fronting, but only if the host header also matches an entry in the crt-list. At the moment, I don’t see any way of doing this programmatically, and the crt-list lookup based on the SNI is completely within HAProxy logic. Is there any way to access the crt-list via an ACL or similar? The alternative would be to maintain the list twice and add it as a map or list to the HAProxy config and then maybe do a custom host matching via LUA script etc. but I really would like to avoid that. Any hints from the community?
