On 4/3/24 06:02, Froehlich, Dominik wrote:
I fear that strict-sni won’t get us far. The issue is that the SNI is
just fine (it is in the crt-list), however we also need to check if the
host-header is part of the crt-list. E.g.
William's answer should work.
The strict-sni setting makes sure that the SNI is in the cert list. If
it's not, then TLS negotiation will fail and as a result the request
will not complete.
Then the following ACL in William's reply checks that the host header
actually matches SNI:
http-request set-var(txn.host) hdr(host)
# Check whether the client is attempting domain fronting.
acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0
If SNI matches the Host header, then that ACL will be true. Combined
with strict-sni ensuring that the SNI matches one of your certs, this
will get you what you want.
You can also reverse the ACL so it is false if there is no match. The
docs for 2.8 do not mention "ne" as a possible operator, so this ACL
checks for greater than and less than:
acl ssl_sni_http_host_no_match ssl_fc_sni,strcmp(txn.host) lt 0
acl ssl_sni_http_host_no_match ssl_fc_sni,strcmp(txn.host) gt 0
Thanks,
Shawn
