Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httpcaddyfile: Support explicitly turning off strict_sni_host #4592

Merged
merged 2 commits into from Mar 2, 2022
Merged

httpcaddyfile: Support explicitly turning off strict_sni_host #4592

merged 2 commits into from Mar 2, 2022

Conversation

francislavoie
Copy link
Member

@francislavoie francislavoie commented Feb 21, 2022
edited

In the Caddyfile, we were only allowing turning on strict_sni_host explicitly, but provided no way to explicitly turn it off, which may be necessary for situations where it gets turned on implicitly like when TLS client_auth is turned on.

This adds support for a first arg to be on (for symmetry, least surprise) or insecure_off (what's actually new in terms of behaviour). If the arg is omitted, then it's the same behaviour as before, i.e. turning it on.

{
	servers {
		protocol {
			strict_sni_host [on|insecure_off]
		}
	}
}

@francislavoie francislavoie added the feature ⚙️ New feature or request label Feb 21, 2022
@francislavoie francislavoie added this to the v2.5.0 milestone Feb 21, 2022
@mholt
Copy link
Member

mholt commented Mar 1, 2022
edited

I don't know if I love this (because it only turns off security)... so if we are going to allow this to be done so easily (which, I still am not sure whether to approve this), it should probably at least be prefixed with insecure_ (and probably adjusted so it doesn't take a parameter). (Like TLS' insecure_skip_verify option, which I also hate, heh.)

@francislavoie
Copy link
Member Author

Alright, like insecure_off? I'm down with that.

@mholt
Copy link
Member

mholt commented Mar 2, 2022

@francislavoie Oh, I meant instead of strict_sni_host on|off, just have insecure_disable_strict_sni_host as a single token or something. But now that you mention it, strict_sni_host insecure_off is also fine I guess, except I don't want people thinking they need to or can turn it on at all (since the only thing to really do is force it off).

Still squirming about this because I hope it doesn't bite anyone who doesn't understand the docs someday...

@francislavoie
Copy link
Member Author

Well, we've had it as an option to turn it on for quite a long time already. Removing that would be a BC break. I'll make the change for insecure_off.

@mholt
Copy link
Member

mholt commented Mar 2, 2022

Ohh, right, because it only turns on automatically if client_auth is enabled. Gotcha. I like insecure_off then.

@francislavoie
Copy link
Member Author

Donezo

mholt
mholt approved these changes Mar 2, 2022
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I hate it 😉

@francislavoie francislavoie merged commit 5bd96a6 into master Mar 2, 2022
@francislavoie francislavoie deleted the explicit-strict-sni-host-off branch March 2, 2022 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt mholt approved these changes

Assignees
No one assigned
Labels
feature ⚙️ New feature or request
Projects
None yet
Milestone
v2.5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@francislavoie @mholt