varnish-cache icon indicating copy to clipboard operation
varnish-cache copied to clipboard

Published 20 hours ago verified publisher icon varnishcache

Via backends: Sending invalid SNI headers

Open delthas opened this issue 1 year ago • 1 comments

The SNI spec states that the SNI header should contain exactly a hostname: neither IP addresses nor ports.

Currently, .authority defaults to .host_header, then .host.

  • Typical host headers are example.com:1234, 1.2.3.4. In those cases, Varnish would by default send an invalid authority PROXY TLV (translated to an invalid SNI header).
  • Another example is if there is no .host_header, but an IP literal in .host: .host = "1.2.3.4";. In this case, Varnish would send an IP address in the authority by default

I see two possible solutions here:

  • Not fallback to .host_header then .host, just .host -> fixes the first issue
  • Checking the .authority value if it was a fallback, and if it is not a plain hostname, drop it entirely
  • We could also mention it in the docs (as in, "you can override the authority if it's an IP address"), but I think it would be nice to have a default behavior where no invalid SNI header is sent

delthas avatar Jul 31 '23 13:07 delthas

I would think we should remove the port from Host and fail for IP addresses.

nigoroll avatar Jul 31 '23 13:07 nigoroll