Via backends: Sending invalid SNI headers - Githubissues

varnishcache / varnish-cache

Varnish Cache source code repository

https://www.varnish-cache.org

Other

3.7k stars 377 forks source link

Via backends: Sending invalid SNI headers #3963

Open delthas opened 1 year ago

delthas commented 1 year ago

The SNI spec states that the SNI header should contain exactly a hostname: neither IP addresses nor ports.

Currently, .authority defaults to .host_header, then .host.

Typical host headers are example.com:1234, 1.2.3.4. In those cases, Varnish would by default send an invalid authority PROXY TLV (translated to an invalid SNI header).
Another example is if there is no .host_header, but an IP literal in .host: .host = "1.2.3.4";. In this case, Varnish would send an IP address in the authority by default

I see two possible solutions here:

Not fallback to .host_header then .host, just .host -> fixes the first issue
Checking the .authority value if it was a fallback, and if it is not a plain hostname, drop it entirely
We could also mention it in the docs (as in, "you can override the authority if it's an IP address"), but I think it would be nice to have a default behavior where no invalid SNI header is sent

nigoroll commented 1 year ago

I would think we should remove the port from Host and fail for IP addresses.