Fix domain fronting

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>
2020-07-17 15:38:04 +02:00 · 2020-07-17 15:38:04 +02:00 · 0b7aaa3643
commit 0b7aaa3643
parent 45f52ca29c
6 changed files with 197 additions and 17 deletions
--- a/pkg/server/router/tcp/router.go
+++ b/pkg/server/router/tcp/router.go
@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"

 	"github.com/containous/traefik/v2/pkg/config/runtime"
 	"github.com/containous/traefik/v2/pkg/log"
@ -99,14 +100,13 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 		log.FromContext(ctx).Errorf("Error during the build of the default TLS configuration: %v", err)
 	}

-	router.HTTPSHandler(handlerHTTPS, defaultTLSConf)
-
 	if len(configsHTTP) > 0 {
 		router.AddRouteHTTPTLS("*", defaultTLSConf)
 	}

 	// Keyed by domain, then by options reference.
 	tlsOptionsForHostSNI := map[string]map[string]nameAndConfig{}
+	tlsOptionsForHost := map[string]string{}
 	for routerHTTPName, routerHTTPConfig := range configsHTTP {
 		if len(routerHTTPConfig.TLS.Options) == 0 || routerHTTPConfig.TLS.Options == defaultTLSConfigName {
 			continue
@ -148,10 +148,33 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 					routerName: routerHTTPName,
 					TLSConfig:  tlsConf,
 				}
+
+				lowerDomain := strings.ToLower(domain)
+				if _, ok := tlsOptionsForHost[lowerDomain]; ok {
+					// Multiple tlsOptions fallback to default
+					tlsOptionsForHost[lowerDomain] = "default"
+				} else {
+					tlsOptionsForHost[lowerDomain] = routerHTTPConfig.TLS.Options
+				}
 			}
 		}
 	}

+	sniCheck := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		if req.TLS != nil && !strings.EqualFold(req.Host, req.TLS.ServerName) {
+			tlsOptionSNI := findTLSOptionName(tlsOptionsForHost, req.TLS.ServerName)
+			tlsOptionHeader := findTLSOptionName(tlsOptionsForHost, req.Host)
+
+			if tlsOptionHeader != tlsOptionSNI {
+				http.Error(rw, http.StatusText(http.StatusMisdirectedRequest), http.StatusMisdirectedRequest)
+				return
+			}
+		}
+		handlerHTTPS.ServeHTTP(rw, req)
+	})
+
+	router.HTTPSHandler(sniCheck, defaultTLSConf)
+
 	logger := log.FromContext(ctx)
 	for hostSNI, tlsConfigs := range tlsOptionsForHostSNI {
 		if len(tlsConfigs) == 1 {
@ -248,3 +271,17 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string

 	return router, nil
 }
+
+func findTLSOptionName(tlsOptionsForHost map[string]string, host string) string {
+	tlsOptions, ok := tlsOptionsForHost[host]
+	if ok {
+		return tlsOptions
+	}
+
+	tlsOptions, ok = tlsOptionsForHost[strings.ToLower(host)]
+	if ok {
+		return tlsOptions
+	}
+
+	return "default"
+}