diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-09-17 23:13:21 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-09-17 23:13:21 -0600 |
commit | 4c289fc6ad3d7c2afa69e36cdf2cc9a172cb1c9c (patch) | |
tree | 2a15e46d3b3b2fe06865dcf6c6bdb62b9661f998 /modules/caddyhttp | |
parent | 19f36667f75491f101b28b558551fc9639006f79 (diff) |
Allow domain fronting with TLS client auth if explicitly configured
Diffstat (limited to 'modules/caddyhttp')
-rw-r--r-- | modules/caddyhttp/caddyhttp.go | 20 | ||||
-rw-r--r-- | modules/caddyhttp/server.go | 4 |
2 files changed, 14 insertions, 10 deletions
diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go index c044a9b..0a26ad1 100644 --- a/modules/caddyhttp/caddyhttp.go +++ b/modules/caddyhttp/caddyhttp.go @@ -78,16 +78,20 @@ func (app *App) Provision(ctx caddy.Context) error { srv.AutoHTTPS = new(AutoHTTPSConfig) } - // disallow TLS client auth bypass which could - // otherwise be exploited by sending an unprotected - // SNI value during TLS handshake, then a protected - // Host header during HTTP request later on that - // connection - if srv.hasTLSClientAuth() { - srv.StrictSNIHost = true + // if not explicitly configured by the user, disallow TLS + // client auth bypass (domain fronting) which could + // otherwise be exploited by sending an unprotected SNI + // value during a TLS handshake, then putting a protected + // domain in the Host header after establishing connection; + // this is a safe default, but we allow users to override + // it for example in the case of running a proxy where + // domain fronting is desired and access is not restricted + // based on hostname + if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() { + trueBool := true + srv.StrictSNIHost = &trueBool } - // TODO: Test this function to ensure these replacements are performed for i := range srv.Listen { srv.Listen[i] = repl.ReplaceAll(srv.Listen[i], "") } diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index b4952e1..0ccdeea 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -42,7 +42,7 @@ type Server struct { TLSConnPolicies caddytls.ConnectionPolicies `json:"tls_connection_policies,omitempty"` AutoHTTPS *AutoHTTPSConfig `json:"automatic_https,omitempty"` MaxRehandles *int `json:"max_rehandles,omitempty"` - StrictSNIHost bool `json:"strict_sni_host,omitempty"` + StrictSNIHost *bool `json:"strict_sni_host,omitempty"` // This field is not subject to compatibility promises ExperimentalHTTP3 bool `json:"experimental_http3,omitempty"` @@ -164,7 +164,7 @@ func (s *Server) enforcementHandler(w http.ResponseWriter, r *http.Request, next // servers that rely on TLS ClientAuth sharing a listener // with servers that do not; if not enforced, client could // bypass by sending benign SNI then restricted Host header - if s.StrictSNIHost && r.TLS != nil { + if s.StrictSNIHost != nil && *s.StrictSNIHost && r.TLS != nil { hostname, _, err := net.SplitHostPort(r.Host) if err != nil { hostname = r.Host // OK; probably lacked port |