New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Via backends: Sending invalid SNI headers #3963

Open

delthas opened this issue Jul 31, 2023 · 1 comment

Assignees

Contributor

delthas commented Jul 31, 2023 •

edited

Loading

The SNI spec states that the SNI header should contain exactly a hostname: neither IP addresses nor ports.

Currently, .authority defaults to .host_header, then .host.

Typical host headers are example.com:1234, 1.2.3.4. In those cases, Varnish would by default send an invalid authority PROXY TLV (translated to an invalid SNI header).
Another example is if there is no .host_header, but an IP literal in .host: .host = "1.2.3.4";. In this case, Varnish would send an IP address in the authority by default

I see two possible solutions here:

Not fallback to .host_header then .host, just .host -> fixes the first issue
Checking the .authority value if it was a fallback, and if it is not a plain hostname, drop it entirely
We could also mention it in the docs (as in, "you can override the authority if it's an IP address"), but I think it would be nice to have a default behavior where no invalid SNI header is sent

The text was updated successfully, but these errors were encountered:

nigoroll self-assigned this

Member

nigoroll commented Jul 31, 2023

I would think we should remove the port from Host and fail for IP addresses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment