Re: Domain fronting
Holger, Mildis, Am 07.05.2018 um 22:54 schrieb Holger Just: > This approach is a bit special since regular expressions (or generally > any compared value) needs to be static in HAProxy can can't contain > dynamically generated values. > FWIW on April, 27th 2018 I shipped a patch adding a strcmp converter to haproxy master (i.e. 1.9): https://www.mail-archive.com/haproxy@formilux.org/msg29786.html @Holger I acknowledged your solution to my question in my initial mail to that subthread, it's still working fine. Thank you. @Mildis Make sure to read the sibling mails in the thread also. Depending on you exact set-up of certificates you might or might not break legitimate requests when preventing domain fronting. Best regards Tim Düsterhus
Re: Domain fronting
Hi Mildis (and this time the list too), Mildis wrote: > Is there a simple way to limit TLS domain fronting by forcing SNI and Host > header to be the same ? > Maybe add an optional parameter like "strict_sni_host" ? You can do a little trick here to enforce this without having to rely on additional code in HAProxy. What you can do is to build a new temporary HTTP header which contains the concatenated values of the HTTP host header and the SNI server name value. Using a regular expression, you can then check that the two values are the same. This approach is a bit special since regular expressions (or generally any compared value) needs to be static in HAProxy can can't contain dynamically generated values. I often the following configuration snippet in my frontends (probably remove newlines added in this mail): # Enforce that the TLS SNI field (if provided) matches the HTTP hostname # This is a bit "hacky" as HAProxy neither allows to compare two # headers directly nor allows dynamic patterns in general. Thus, we # concatenate the HTTP Header and the SNI field in an internal header # and check if the same value is repeated in that header. http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if { ssl_fc_has_sni } # This needs to be a named capture because of "reasons". Backreferences # to normal captures are rejected by (my version of) HAProxy http-request deny if { ssl_fc_has_sni } ! { hdr(X-CHECKSNI) -m reg -i ^(?.+)==\1$ } # Cleanup after us http-request del-header X-CHECKSNI Cheers, Holger