Use CNAME for SNI check on host header
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
This commit is contained in:
Ludovic Fernandez
GitHub
parent
e97aa6515b
commit
d9fbb5e25c
8 changed files with 192 additions and 93 deletions
107
pkg/middlewares/snicheck/snicheck.go
Normal file
107
pkg/middlewares/snicheck/snicheck.go
Normal file
|
|
@ -0,0 +1,107 @@
|
|||
package snicheck
|
||||
|
||||
import (
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/traefik/traefik/v2/pkg/log"
|
||||
"github.com/traefik/traefik/v2/pkg/middlewares/requestdecorator"
|
||||
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
|
||||
)
|
||||
|
||||
// SNICheck is an HTTP handler that checks whether the TLS configuration for the server name is the same as for the host header.
|
||||
type SNICheck struct {
|
||||
next http.Handler
|
||||
tlsOptionsForHost map[string]string
|
||||
}
|
||||
|
||||
// New creates a new SNICheck.
|
||||
func New(tlsOptionsForHost map[string]string, next http.Handler) *SNICheck {
|
||||
return &SNICheck{next: next, tlsOptionsForHost: tlsOptionsForHost}
|
||||
}
|
||||
|
||||
func (s SNICheck) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||
if req.TLS == nil {
|
||||
s.next.ServeHTTP(rw, req)
|
||||
return
|
||||
}
|
||||
|
||||
host := getHost(req)
|
||||
serverName := strings.TrimSpace(req.TLS.ServerName)
|
||||
|
||||
// Domain Fronting
|
||||
if !strings.EqualFold(host, serverName) {
|
||||
tlsOptionHeader := findTLSOptionName(s.tlsOptionsForHost, host, true)
|
||||
tlsOptionSNI := findTLSOptionName(s.tlsOptionsForHost, serverName, false)
|
||||
|
||||
if tlsOptionHeader != tlsOptionSNI {
|
||||
log.WithoutContext().
|
||||
WithField("host", host).
|
||||
WithField("req.Host", req.Host).
|
||||
WithField("req.TLS.ServerName", req.TLS.ServerName).
|
||||
Debugf("TLS options difference: SNI:%s, Header:%s", tlsOptionSNI, tlsOptionHeader)
|
||||
http.Error(rw, http.StatusText(http.StatusMisdirectedRequest), http.StatusMisdirectedRequest)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
s.next.ServeHTTP(rw, req)
|
||||
}
|
||||
|
||||
func getHost(req *http.Request) string {
|
||||
h := requestdecorator.GetCNAMEFlatten(req.Context())
|
||||
if h != "" {
|
||||
return h
|
||||
}
|
||||
|
||||
h = requestdecorator.GetCanonizedHost(req.Context())
|
||||
if h != "" {
|
||||
return h
|
||||
}
|
||||
|
||||
host, _, err := net.SplitHostPort(req.Host)
|
||||
if err != nil {
|
||||
host = req.Host
|
||||
}
|
||||
|
||||
return strings.TrimSpace(host)
|
||||
}
|
||||
|
||||
func findTLSOptionName(tlsOptionsForHost map[string]string, host string, fqdn bool) string {
|
||||
name := findTLSOptName(tlsOptionsForHost, host, fqdn)
|
||||
if name != "" {
|
||||
return name
|
||||
}
|
||||
|
||||
name = findTLSOptName(tlsOptionsForHost, strings.ToLower(host), fqdn)
|
||||
if name != "" {
|
||||
return name
|
||||
}
|
||||
|
||||
return traefiktls.DefaultTLSConfigName
|
||||
}
|
||||
|
||||
func findTLSOptName(tlsOptionsForHost map[string]string, host string, fqdn bool) string {
|
||||
if tlsOptions, ok := tlsOptionsForHost[host]; ok {
|
||||
return tlsOptions
|
||||
}
|
||||
|
||||
if !fqdn {
|
||||
return ""
|
||||
}
|
||||
|
||||
if last := len(host) - 1; last >= 0 && host[last] == '.' {
|
||||
if tlsOptions, ok := tlsOptionsForHost[host[:last]]; ok {
|
||||
return tlsOptions
|
||||
}
|
||||
|
||||
return ""
|
||||
}
|
||||
|
||||
if tlsOptions, ok := tlsOptionsForHost[host+"."]; ok {
|
||||
return tlsOptions
|
||||
}
|
||||
|
||||
return ""
|
||||
}
|
||||
60
pkg/middlewares/snicheck/snicheck_test.go
Normal file
60
pkg/middlewares/snicheck/snicheck_test.go
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
package snicheck
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestSNICheck_ServeHTTP(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
tlsOptionsForHost map[string]string
|
||||
host string
|
||||
expected int
|
||||
}{
|
||||
{
|
||||
desc: "no TLS options",
|
||||
expected: http.StatusOK,
|
||||
},
|
||||
{
|
||||
desc: "with TLS options",
|
||||
tlsOptionsForHost: map[string]string{
|
||||
"example.com": "foo",
|
||||
},
|
||||
expected: http.StatusOK,
|
||||
},
|
||||
{
|
||||
desc: "server name and host doesn't have the same TLS configuration",
|
||||
tlsOptionsForHost: map[string]string{
|
||||
"example.com": "foo",
|
||||
},
|
||||
host: "example.com",
|
||||
expected: http.StatusMisdirectedRequest,
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range testCases {
|
||||
test := test
|
||||
t.Run(test.desc, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {})
|
||||
|
||||
sniCheck := New(test.tlsOptionsForHost, next)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "https://localhost", nil)
|
||||
if test.host != "" {
|
||||
req.Host = test.host
|
||||
}
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
|
||||
sniCheck.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, test.expected, recorder.Code)
|
||||
})
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue