Re: How to check if a domain is known to HAProxy
On 4/3/24 06:02, Froehlich, Dominik wrote: I fear that strict-sni won’t get us far. The issue is that the SNI is just fine (it is in the crt-list), however we also need to check if the host-header is part of the crt-list. E.g. William's answer should work. The strict-sni setting makes sure that the SNI is in the cert list. If it's not, then TLS negotiation will fail and as a result the request will not complete. Then the following ACL in William's reply checks that the host header actually matches SNI: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 If SNI matches the Host header, then that ACL will be true. Combined with strict-sni ensuring that the SNI matches one of your certs, this will get you what you want. You can also reverse the ACL so it is false if there is no match. The docs for 2.8 do not mention "ne" as a possible operator, so this ACL checks for greater than and less than: acl ssl_sni_http_host_no_match ssl_fc_sni,strcmp(txn.host) lt 0 acl ssl_sni_http_host_no_match ssl_fc_sni,strcmp(txn.host) gt 0 Thanks, Shawn
Re: How to check if a domain is known to HAProxy
Hello Willian, Thank you for your response. I fear that strict-sni won’t get us far. The issue is that the SNI is just fine (it is in the crt-list), however we also need to check if the host-header is part of the crt-list. E.g. curl https://my-host.domain.com<https://my-host.domain.com/> -H “host: other-host.otherdomain.com” so here we check for the SNI “my-host.domain.com” automatically via crt-list. but in the next step we select the backend based on the host-header, but only if it also is present in the crt-list (which we use as a list of valid domains hosted on the platform) so based on what you said we can’t do that, we would do something like http-request set-var(txn.forwarded_host) req.hdr(host),host_only,lower acl is_known_domain var(txn.forwarded_host),map_dom(/domains.map) -m found http request-deny if ! is_known_domain where /domains.map is basically a copy of the crt-list like that: *.domain.com 1 *.otherdomain.com 1 So, this works, though it is ugly because I need to do double-maintenance of the crt-list. Even if I used strict-sni, you could still run into the issue that SNI is on the crt-list, but the host-header is not. From: William Lallemand Date: Wednesday, 3. April 2024 at 11:31 To: Froehlich, Dominik Cc: haproxy@formilux.org Subject: Re: How to check if a domain is known to HAProxy On Wed, Apr 03, 2024 at 07:47:44AM +, Froehlich, Dominik wrote: > Subject: How to check if a domain is known to HAProxy > Hello everyone, > > This may be kind of a peculiar request. > > We have the need to block requests that are not in the crt-list of our > frontend. > > So, the expectation would be that HAProxy does a lookup of the domain (as it > does for the crt-list entry) but for domain-fronted requests, i.e. we have to > check both the SNI and the host header. > > What makes it difficult is that we still want to allow domain-fronting, but > only if the host header also matches an entry in the crt-list. > > At the moment, I don’t see any way of doing this programmatically, and the > crt-list lookup based on the SNI is completely within HAProxy logic. > > Is there any way to access the crt-list via an ACL or similar? The > alternative would be to maintain the list twice and add it as a map or list > to the HAProxy config and then maybe do a custom host matching via LUA script > etc. but I really would like to avoid that. > > Any hints from the community? > Hello, You can't access the crt-list from the ACL, however if you are using the `strict-sni` keyword, you will be sure that the requested SNI will be in your crt-list. And then you can compare the host header with the SNI. There is an example in the strcmp keyword documentation: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.haproxy.org%2F2.9%2Fconfiguration.html%23strcmp&data=05%7C02%7Cdominik.froehlich%40sap.com%7Cef9d69783ff54043a83708dc53c0deae%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638477335041142353%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=d8jyQKbe7ODqCI%2BCklprFW9LC67b5yXwHHJYJEQhRGk%3D&reserved=0<https://docs.haproxy.org/2.9/configuration.html#strcmp> Regards, -- William Lallemand
Re: How to check if a domain is known to HAProxy
On Wed, Apr 03, 2024 at 07:47:44AM +, Froehlich, Dominik wrote: > Subject: How to check if a domain is known to HAProxy > Hello everyone, > > This may be kind of a peculiar request. > > We have the need to block requests that are not in the crt-list of our > frontend. > > So, the expectation would be that HAProxy does a lookup of the domain (as it > does for the crt-list entry) but for domain-fronted requests, i.e. we have to > check both the SNI and the host header. > > What makes it difficult is that we still want to allow domain-fronting, but > only if the host header also matches an entry in the crt-list. > > At the moment, I don’t see any way of doing this programmatically, and the > crt-list lookup based on the SNI is completely within HAProxy logic. > > Is there any way to access the crt-list via an ACL or similar? The > alternative would be to maintain the list twice and add it as a map or list > to the HAProxy config and then maybe do a custom host matching via LUA script > etc. but I really would like to avoid that. > > Any hints from the community? > Hello, You can't access the crt-list from the ACL, however if you are using the `strict-sni` keyword, you will be sure that the requested SNI will be in your crt-list. And then you can compare the host header with the SNI. There is an example in the strcmp keyword documentation: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 https://docs.haproxy.org/2.9/configuration.html#strcmp Regards, -- William Lallemand
How to check if a domain is known to HAProxy
Hello everyone, This may be kind of a peculiar request. We have the need to block requests that are not in the crt-list of our frontend. So, the expectation would be that HAProxy does a lookup of the domain (as it does for the crt-list entry) but for domain-fronted requests, i.e. we have to check both the SNI and the host header. What makes it difficult is that we still want to allow domain-fronting, but only if the host header also matches an entry in the crt-list. At the moment, I don’t see any way of doing this programmatically, and the crt-list lookup based on the SNI is completely within HAProxy logic. Is there any way to access the crt-list via an ACL or similar? The alternative would be to maintain the list twice and add it as a map or list to the HAProxy config and then maybe do a custom host matching via LUA script etc. but I really would like to avoid that. Any hints from the community?