On Wed, Apr 03, 2024 at 07:47:44AM +0000, Froehlich, Dominik wrote: > Subject: How to check if a domain is known to HAProxy > Hello everyone, > > This may be kind of a peculiar request. > > We have the need to block requests that are not in the crt-list of our > frontend. > > So, the expectation would be that HAProxy does a lookup of the domain (as it > does for the crt-list entry) but for domain-fronted requests, i.e. we have to > check both the SNI and the host header. > > What makes it difficult is that we still want to allow domain-fronting, but > only if the host header also matches an entry in the crt-list. > > At the moment, I don’t see any way of doing this programmatically, and the > crt-list lookup based on the SNI is completely within HAProxy logic. > > Is there any way to access the crt-list via an ACL or similar? The > alternative would be to maintain the list twice and add it as a map or list > to the HAProxy config and then maybe do a custom host matching via LUA script > etc. but I really would like to avoid that. > > Any hints from the community? >
Hello, You can't access the crt-list from the ACL, however if you are using the `strict-sni` keyword, you will be sure that the requested SNI will be in your crt-list. And then you can compare the host header with the SNI. There is an example in the strcmp keyword documentation: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 https://docs.haproxy.org/2.9/configuration.html#strcmp Regards, -- William Lallemand
