v2.4.1 disallow domain fronting

2025-03-05 00:00:51 +00:00 · 2018-08-22 15:49:32 -06:00 · 2018-08-22 15:49:32 -06:00 · 2cfba7a2e7
commit 2cfba7a2e7
parent ea02a93fba
2 changed files with 18 additions and 1 deletions
--- a/index.js
+++ b/index.js
@ -517,10 +517,27 @@ Greenlock.create = function (gl) {
        req.headers.host = host.join(':');
      }

+      if (gl.__sni_allow_fronting) {
+        if (req.socket && 'string' === typeof req.socket.servername) {
+          if (safehost && (safehost !== req.socket.servername.toLowerCase())) {
+            res.statusCode = 400;
+            res.end("Don't be frontin', yo!"
+              + " TLS SNI '" + req.socket.servername.toLowerCase() + "' does not match 'Host: " + safehost + "'");
+            return;
+          }
+        } else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) {
+          // TODO how to handle wrapped sockets, as with telebit?
+          console.warn("\n\n\n[greenlock] WARN: no string for req.socket.servername,"
+            + " skipping fronting check for '" + safehost + "'\n\n\n");
+          gl.middleware.sanitizeHost._skip_fronting_check = true;
+        }
+      }
+
      // carry on
      realNext();
    };
  };
+  gl.middleware.sanitizeHost._skip_fronting_check = false;

  return gl;
 };
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "greenlock",
-  "version": "2.4.0",
+  "version": "2.4.1",
  "description": "Let's Encrypt for node.js on npm",
  "main": "index.js",
  "files": [