-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore IP addresses when issuing certs #26
Comments
I just wrote a check for that, only to find out that it already fails pretty early on, on: ssl_certificate(): auto-ssl: could not determine domain for request (SNI not supported?) - using fallback - When a browser does a request to an IP-address, it does not send an SNI-header, so "domain" won't even be set. |
I'm not sure why mine was sending a request to lets encrypt that was then sending an error about registering an SSL cert with an IP :S |
@discobean: Do you have the specific error message that happens when you've seen this? |
@GUI I sometimes get the same error. My guess this is because the clients (which probably are scanner bots) are sending Host header that equals to target IP address, eg:
where |
I'm all for blocking this in the code, but, eh: Your allow_domain() should only allow FQDN's that you will want a certificate to be generated for (whitelist approach) as opposed to "not for these" (blacklist approach). You should never simply just "return true" in allow_domain(). It puts strain on your system and accumulate failures towards LE. We're going a step further, though. We export a list of all our webhosting customers to a Lua table file on disk, read that and store it in a SHM key/value store inside nginx so we can easily check which hosts we should be generating certs for or not. We have multiple wildcard certs for our management hostnames, so we exit early with a replaced SSL chain with the corresponding SSL cert in it. We early exit on IP-addresses, and localhost. And then lastly we check the DNS and whether or not the name is actually in our list of domains that are configured on our systems. Most of these checks are only wins in time, but they're not really necessary. Point being: Use a whitelist instead of a blacklist. It's common code practice, too. Better safe than sorry. |
And sometimes it's better not to over-engineer and skip various checks which could be yet another point of failure :) Especially if you have a highly dynamic environment. I'm not saying this should be blocked in lua-resty-auto-ssl, just sharing what I've found out while testing if anyone else stumbles upon this issue. Quick hack in
|
Whitelisting is not over-engineering, it's doing it right. There are so many security incidents in the world because developers are using blacklisting instead of whitelisting, it's not even remotely funny. Your check also skips IPv6-addresses, and is actually over-engineered:
|
You don't know our situation, but you quick to judge. Point taken. You could probably create a PR and change the |
Considering LetsEncrypt doesn't issue certs on IPs, it would be great to detect and ignore IP addresses before sending a request to LetsEncrypt, rather than having to add that logic into the allow_domain configuration/function.
The text was updated successfully, but these errors were encountered: