root
/
greenlock.js
mirror of https://github.com/therootcompany/greenlock.js.git
2
0
Fork 0
Code Issues 27 Releases Wiki Activity

better error message for domain fronting

This commit is contained in:
AJ ONeal 2018-11-04 17:17:16 -07:00
parent 781a735146
commit e71298c305
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
index.js
View File

@ -521,8 +521,13 @@ Greenlock.create = function (gl) {
if (req.socket && 'string' === typeof req.socket.servername) {
if (safehost && (safehost !== req.socket.servername.toLowerCase())) {
res.statusCode = 400;
res.end("Don't be frontin', yo!"
+ " TLS SNI '" + req.socket.servername.toLowerCase() + "' does not match 'Host: " + safehost + "'");
res.setHeader('Content-Type', 'text/html; charset=utf-8');
res.end(
"<h1>Domain Fronting Error</h1>"
+ "<p>This connection was secured using TLS/SSL for '" + req.socket.servername.toLowerCase() + "'</p>"
+ "<p>The HTTP request specified 'Host: " + safehost + "', which is (obviously) different.</p>"
+ "<p>Because this looks like a domain fronting attack, the connection has been terminated.</p>"
);
return;
}
} else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) {