sni hostname and request Host header mismatch

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sni hostname and request Host header mismatch

Frank Liu
Is there a way to configure nginx to fail the request if the client sends a sni header that doesn't match the Host header?
curl -k -H "Host: virtual_host2" https://virtual_host1

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: sni hostname and request Host header mismatch

wld75
Via map and the default ?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281564,281565#msg-281565

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: sni hostname and request Host header mismatch

Frank Liu
http://hg.nginx.org/nginx/rev/4fbef397c753 indicates the check is only done for the 2-way SSL virtual host.
Has everything been added (maybe through a directive) for 1-way SSL since then?

On Wed, Oct 10, 2018 at 10:33 AM itpp2012 <[hidden email]> wrote:
Via map and the default ?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281564,281565#msg-281565

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: sni hostname and request Host header mismatch

Francis Daly
On Wed, Oct 10, 2018 at 05:11:40PM -0700, Frank Liu wrote:

Hi there,

> http://hg.nginx.org/nginx/rev/4fbef397c753 indicates the check is only done
> for the 2-way SSL virtual host.
> Has everything been added (maybe through a directive) for 1-way SSL since
> then?

$ssl_server_name is the name from SNI.

$http_host is the Host: header.

$host is the host from the request (which usually should be absent),
or the host from the Host: header (which usually should be present),
or the (first) server_name of the matched server.

I think that there is not an extra directive; but you can manipulate
and compare those variables as is appropriate for your situation.

Specifically: in an SNI-only server, if $host is not the same as
$ssl_server_name, something funny is going on.

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx