Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid certificate exposure when CDN is used #150

Open
free-the-internet opened this issue Feb 14, 2024 · 0 comments
Open

Avoid certificate exposure when CDN is used #150

free-the-internet opened this issue Feb 14, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@free-the-internet
Copy link

Since haproxy have an option called strict-sni , people can use it to avoid exposure of their certificate and hence disclosure of their IP address. This is vital specially when CDN is used.
Online crawler services or censor by iterating over limited IPv4 public address space looking at their port 443, or sending HTTPS request to that IP, can retrieve the valid SSL certificate and map the CN field to SNI used in the client side. This can potentially lead to blockage of both IP and Domain name.
strict-sni can resolve this problem. It must be add as the following:

frontend tls
  bind :::8443 v4v6 strict-sni ssl crt /usr/local/etc/haproxy/server.pem alpn h2,http/1.1

As it can prevent from utilization of Allow Insecure option, you can add an option item in the menu to be chosen when CDN is used.

Thanks for perfect script.
@aleskxyz aleskxyz added the enhancement New feature or request label Mar 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aleskxyz @free-the-internet