Enforce that the SNI name matches the host name #170

kate-osborn · 2022-08-04T15:27:24Z

Problem: Nginx does not enforce that the SNI name matches the host name for SSL
requests, which can lead to unexpected behavior and breaks the
recommendation of the gateway API spec.

Fix: in every SSL server block, we now check that the variables $ssl_server_name
and $host are equal. If they are not, we return a 421 misdirected request.

Problem: Nginx does not enforce that the SNI name matches the host name for SSL requests, which can lead to unexpected behavior and breaks the recommendation of the gateway API spec. Fix: in every SSL server block, we now check that the variables $ssl_server_name and $host are equal. If they are not, we return a 421 misdirected request.

pleshakov

👍

kate-osborn requested a review from pleshakov August 4, 2022 15:27

kate-osborn force-pushed the fix/sni-enforcement branch from ff7cecf to 1d20000 Compare August 4, 2022 15:28

pleshakov approved these changes Aug 4, 2022

View reviewed changes

kate-osborn merged commit 13acaf7 into main Aug 4, 2022

kate-osborn deleted the fix/sni-enforcement branch August 4, 2022 15:52

lucacome added the enhancement New feature or request label Aug 8, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enforce that the SNI name matches the host name #170

Enforce that the SNI name matches the host name #170

kate-osborn commented Aug 4, 2022

pleshakov left a comment

Enforce that the SNI name matches the host name #170

Enforce that the SNI name matches the host name #170

Conversation

kate-osborn commented Aug 4, 2022

pleshakov left a comment

Choose a reason for hiding this comment