coolaj86
/
greenlock.js-ARCHIVED
3
3
Fork 0
Code Issues 6 Pull Requests 1 Releases Activity

better error message for domain fronting

This commit is contained in:
AJ ONeal 2018-11-04 17:17:16 -07:00
parent 781a735146
commit e71298c305
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
index.js
View File

@ -521,8 +521,13 @@ Greenlock.create = function (gl) {
if (req.socket && 'string' === typeof req.socket.servername) { if (req.socket && 'string' === typeof req.socket.servername) {
if (safehost && (safehost !== req.socket.servername.toLowerCase())) { if (safehost && (safehost !== req.socket.servername.toLowerCase())) {
res.statusCode = 400; res.statusCode = 400;
res.end("Don't be frontin', yo!" res.setHeader('Content-Type', 'text/html; charset=utf-8');
+ " TLS SNI '" + req.socket.servername.toLowerCase() + "' does not match 'Host: " + safehost + "'"); res.end(
"<h1>Domain Fronting Error</h1>"
+ "<p>This connection was secured using TLS/SSL for '" + req.socket.servername.toLowerCase() + "'</p>"
+ "<p>The HTTP request specified 'Host: " + safehost + "', which is (obviously) different.</p>"
+ "<p>Because this looks like a domain fronting attack, the connection has been terminated.</p>"
);
return; return;
} }
} else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) { } else if (safehost && !gl.middleware.sanitizeHost._skip_fronting_check) {