On 1/13/2022 6:46 PM, i...@protonmail.com wrote:
I would like to avoid httpd giving anything if a user types in the IP
address of the server.
At first I just made an empty page, which is fine for port 80, but if
the user then types https://xxx.xxx.xxx.xxx, then the certificate for a
domain shows, which doesn't fit the IP address.
Is there some way to do something like:
server "default" {
listen on * port 80
listen on * port 443
block drop
}
And then only serve specific domains?
I've done something like this with haproxy using SNI routing, but for
different reasons. Unfortunately this requires running haproxy as root,
and haproxy has to be in the routing path. Having it on the same
machine is probably ok.
Note that this does not require haproxy to have the client certificates,
since the hostname is transmitted in plaintext with SNI.
Config snippets:
frontend ft_ssl_vip
bind :443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend bk_ssl_default
backend bk_ssl_default
mode tcp
source 0.0.0.0 usesrc clientip
acl app_one req_ssl_sni -i one.example.com
acl app_two req_ssl_sni -i two.example.com
acl app_three req_ssl_sni -i three.example.com
use-server one if app_one
use-server two if app_two
use-server three if app_three
use-server default if !app_one !app_two !app_three
option ssl-hello-chk
server one 1.2.3.4:443 check
server two 4.5.6.7:443 check
server three 7.8.9.10:443 check
server default 11.12.13.14:443
So, server default can answer with whatever cert you want, and one, two,
three can answer with their correct certs. Scanners won't connect to
one, two, three unless they already know the host names.
Of course, this is somewhat futile with Certificate Transparency, since
all your host names will be listed publicly anyway.