Re: Domain fronting

2018-05-07 Thread Tim Düsterhus 
Holger,
Mildis,

Am 07.05.2018 um 22:54 schrieb Holger Just:
> This approach is a bit special since regular expressions (or generally
> any compared value) needs to be static in HAProxy can can't contain
> dynamically generated values.
> 

FWIW on April, 27th 2018 I shipped a patch adding a strcmp converter to
haproxy master (i.e. 1.9):
https://www.mail-archive.com/haproxy@formilux.org/msg29786.html

@Holger I acknowledged your solution to my question in my initial mail
to that subthread, it's still working fine. Thank you.

@Mildis Make sure to read the sibling mails in the thread also.
Depending on you exact set-up of certificates you might or might not
break legitimate requests when preventing domain fronting.

Best regards
Tim Düsterhus

Re: Domain fronting

2018-05-07 Thread Holger Just 
Hi Mildis (and this time the list too),

Mildis wrote:
> Is there a simple way to limit TLS domain fronting by forcing SNI and Host 
> header to be the same ?
> Maybe add an optional parameter like "strict_sni_host" ?

You can do a little trick here to enforce this without having to rely on
additional code in HAProxy.

What you can do is to build a new temporary HTTP header which contains
the concatenated values of the HTTP host header and the SNI server name
value. Using a regular expression, you can then check that the two
values are the same.

This approach is a bit special since regular expressions (or generally
any compared value) needs to be static in HAProxy can can't contain
dynamically generated values.

I often the following configuration snippet in my frontends (probably
remove newlines added in this mail):

# Enforce that the TLS SNI field (if provided) matches the HTTP hostname
# This is a bit "hacky" as HAProxy neither allows to compare two
# headers directly nor allows dynamic patterns in general. Thus, we
# concatenate the HTTP Header and the SNI field in an  internal header
# and check if the same value is repeated in that header.
http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if {
ssl_fc_has_sni }

# This needs to be a named capture because of "reasons". Backreferences
# to normal captures are rejected by (my version of) HAProxy
http-request deny if { ssl_fc_has_sni } ! { hdr(X-CHECKSNI) -m reg -i
^(?.+)==\1$ }

# Cleanup after us
http-request del-header X-CHECKSNI

Cheers, Holger