You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since haproxy have an option called strict-sni , people can use it to avoid exposure of their certificate and hence disclosure of their IP address. This is vital specially when CDN is used.
Online crawler services or censor by iterating over limited IPv4 public address space looking at their port 443, or sending HTTPS request to that IP, can retrieve the valid SSL certificate and map the CN field to SNI used in the client side. This can potentially lead to blockage of both IP and Domain name. strict-sni can resolve this problem. It must be add as the following:
Since haproxy have an option called
strict-sni
, people can use it to avoid exposure of their certificate and hence disclosure of their IP address. This is vital specially when CDN is used.Online crawler services or censor by iterating over limited IPv4 public address space looking at their port 443, or sending HTTPS request to that IP, can retrieve the valid SSL certificate and map the CN field to SNI used in the client side. This can potentially lead to blockage of both IP and Domain name.
strict-sni
can resolve this problem. It must be add as the following:As it can prevent from utilization of Allow Insecure option, you can add an option item in the menu to be chosen when CDN is used.
Thanks for perfect script.
The text was updated successfully, but these errors were encountered: