From 2cfba7a2e714319c13679d18b07fba7946b0912e Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 22 Aug 2018 15:49:32 -0600 Subject: [PATCH] v2.4.1 disallow domain fronting --- index.js | 17 +++++++++++++++++ package.json | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 07ee026..7efd19e 100644 --- a/index.js +++ b/index.js @@ -517,10 +517,27 @@ Greenlock.create = function (gl) { req.headers.host = host.join(':'); } + if (gl.__sni_allow_fronting) { + if (req.socket && 'string' === typeof req.socket.servername) { + if (safehost && (safehost !== req.socket.servername.toLowerCase())) { + res.statusCode = 400; + res.end("Don't be frontin', yo!" + + " TLS SNI '" + req.socket.servername.toLowerCase() + "' does not match 'Host: " + safehost + "'"); + return; + } + } else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) { + // TODO how to handle wrapped sockets, as with telebit? + console.warn("\n\n\n[greenlock] WARN: no string for req.socket.servername," + + " skipping fronting check for '" + safehost + "'\n\n\n"); + gl.middleware.sanitizeHost._skip_fronting_check = true; + } + } + // carry on realNext(); }; }; + gl.middleware.sanitizeHost._skip_fronting_check = false; return gl; }; diff --git a/package.json b/package.json index 1ba9d7d..e0c3df1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "greenlock", - "version": "2.4.0", + "version": "2.4.1", "description": "Let's Encrypt for node.js on npm", "main": "index.js", "files": [