Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-06-07 06:25:24 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Allow domain fronting with TLS client auth if explicitly configured

Browse Source
This commit is contained in:
Matthew Holt
2019-09-17 23:13:21 -06:00
parent 19f36667f7
commit 4c289fc6ad
2 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/caddyhttp/server.go
+2 -2
View File
@@ -42,7 +42,7 @@ type Server struct {
TLSConnPolicies caddytls.ConnectionPolicies `json:"tls_connection_policies,omitempty"`
AutoHTTPS *AutoHTTPSConfig `json:"automatic_https,omitempty"`
MaxRehandles *int `json:"max_rehandles,omitempty"`
StrictSNIHost bool `json:"strict_sni_host,omitempty"`
StrictSNIHost *bool `json:"strict_sni_host,omitempty"`
// This field is not subject to compatibility promises
ExperimentalHTTP3 bool `json:"experimental_http3,omitempty"`
@@ -164,7 +164,7 @@ func (s *Server) enforcementHandler(w http.ResponseWriter, r *http.Request, next
// servers that rely on TLS ClientAuth sharing a listener
// with servers that do not; if not enforced, client could
// bypass by sending benign SNI then restricted Host header
if s.StrictSNIHost && r.TLS != nil {
if s.StrictSNIHost != nil && *s.StrictSNIHost && r.TLS != nil {
hostname, _, err := net.SplitHostPort(r.Host)
if err != nil {
hostname = r.Host // OK; probably lacked port