Welcome! Log In Create A New Profile

Advanced

Domain fronting

Posted by Mildis 
Mildis
Domain fronting
May 06, 2018 06:10PM
Hi list,

I've been across several articles about new rules in domain fronting from AWS and Google.

Currently, I'm aware of 3 ways to get the destination host :

%[ssl_fc_sni,lower] # Layer 5
%[req.ssl_sni,lower] # Layer 6
%[req.hdr(host),lower] # Layer 7

Is there a simple way to limit TLS domain fronting by forcing SNI and Host header to be the same ?
Maybe add an optional parameter like "strict_sni_host" ?

Regards,
Mildis
Holger Just
Re: Domain fronting
May 07, 2018 11:00PM
Hi Mildis (and this time the list too),

Mildis wrote:
> Is there a simple way to limit TLS domain fronting by forcing SNI and Host header to be the same ?
> Maybe add an optional parameter like "strict_sni_host" ?

You can do a little trick here to enforce this without having to rely on
additional code in HAProxy.

What you can do is to build a new temporary HTTP header which contains
the concatenated values of the HTTP host header and the SNI server name
value. Using a regular expression, you can then check that the two
values are the same.

This approach is a bit special since regular expressions (or generally
any compared value) needs to be static in HAProxy can can't contain
dynamically generated values.

I often the following configuration snippet in my frontends (probably
remove newlines added in this mail):

# Enforce that the TLS SNI field (if provided) matches the HTTP hostname
# This is a bit "hacky" as HAProxy neither allows to compare two
# headers directly nor allows dynamic patterns in general. Thus, we
# concatenate the HTTP Header and the SNI field in an internal header
# and check if the same value is repeated in that header.
http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if {
ssl_fc_has_sni }

# This needs to be a named capture because of "reasons". Backreferences
# to normal captures are rejected by (my version of) HAProxy
http-request deny if { ssl_fc_has_sni } ! { hdr(X-CHECKSNI) -m reg -i
^(?.+)==\1$ }

# Cleanup after us
http-request del-header X-CHECKSNI

Cheers, Holger
Tim Düsterhus
Re: Domain fronting
May 07, 2018 11:10PM
Holger,
Mildis,

Am 07.05.2018 um 22:54 schrieb Holger Just:
> This approach is a bit special since regular expressions (or generally
> any compared value) needs to be static in HAProxy can can't contain
> dynamically generated values.
>

FWIW on April, 27th 2018 I shipped a patch adding a strcmp converter to
haproxy master (i.e. 1.9):
https://www.mail-archive.com/[email protected]/msg29786.html

@Holger I acknowledged your solution to my question in my initial mail
to that subthread, it's still working fine. Thank you.

@Mildis Make sure to read the sibling mails in the thread also.
Depending on you exact set-up of certificates you might or might not
break legitimate requests when preventing domain fronting.

Best regards
Tim Düsterhus
Sorry, only registered users may post in this forum.

Click here to login