We use cookies to ensure you get the best experience on our website
首頁 探索 說明
註冊 登入
0ct0pu5
/
anubis
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

feat: add TARGET_SNI to allow overriding the TLS handshake hostname when forwarding requests (#529)

* feat: add TARGET_SNI to allow overriding the TLS handshake hostname when forwarding requests

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
James Renken 1 月之前
父節點
11081aac08
當前提交
6f08bcb481
共有 4 個文件被更改,包括 14 次插入6 次删除
分割檢視 顯示文件統計
  1. 1 0
      .github/actions/spelling/expect.txt
  2. 11 6
      cmd/anubis/main.go
  3. 1 0
      docs/docs/CHANGELOG.md
  4. 1 0
      docs/docs/admin/installation.mdx

+ 1 - 0
.github/actions/spelling/expect.txt
查看文件 

@@ -178,6 +178,7 @@ selfsigned
 
 setsebool
 
 sitemap
 
 sls
 
+sni
 
 Sourceware
 
 Spambot
 
 sparkline

+ 11 - 6
cmd/anubis/main.go
查看文件 

@@ -56,6 +56,7 @@ var (
 
 	redirectDomains          = flag.String("redirect-domains", "", "list of domains separated by commas which anubis is allowed to redirect to. Leaving this unset allows any domain.")
 
 	slogLevel                = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 
 	target                   = flag.String("target", "http://localhost:3923", "target to reverse proxy to, set to an empty string to disable proxying when only using auth request")
 
+	targetSNI                = flag.String("target-sni", "", "if set, the value of the TLS handshake hostname when forwarding requests to the target")
 
 	targetHost               = flag.String("target-host", "", "if set, the value of the Host header when forwarding requests to the target")
 
 	targetInsecureSkipVerify = flag.Bool("target-insecure-skip-verify", false, "if true, skips TLS validation for the backend")
 
 	healthcheck              = flag.Bool("healthcheck", false, "run a health check against Anubis")
 
@@ -136,7 +137,7 @@ func setupListener(network string, address string) (net.Listener, string) {
 
 	return listener, formattedAddress
 
 }
 
 
-func makeReverseProxy(target string, targetHost string, insecureSkipVerify bool) (http.Handler, error) {
 
+func makeReverseProxy(target string, targetSNI string, targetHost string, insecureSkipVerify bool) (http.Handler, error) {
 
 	targetUri, err := url.Parse(target)
 
 	if err != nil {
 
 		return nil, fmt.Errorf("failed to parse target URL: %w", err)
 
@@ -158,10 +159,14 @@ func makeReverseProxy(target string, targetHost string, insecureSkipVerify bool)
 
 		transport.RegisterProtocol("unix", libanubis.UnixRoundTripper{Transport: transport})
 
 	}
 
 
-	if insecureSkipVerify {
 
-		slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
 
-		transport.TLSClientConfig = &tls.Config{
 
-			InsecureSkipVerify: true,
 
+	if insecureSkipVerify || targetSNI != "" {
 
+		transport.TLSClientConfig = &tls.Config{}
 
+		if insecureSkipVerify {
 
+			slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
 
+			transport.TLSClientConfig.InsecureSkipVerify = true
 
+		}
 
+		if targetSNI != "" {
 
+			transport.TLSClientConfig.ServerName = targetSNI
 
 		}
 
 	}
 
 
@@ -214,7 +219,7 @@ func main() {
 
 	// when using anubis via Systemd and environment variables, then it is not possible to set targe to an empty string but only to space
 
 	if strings.TrimSpace(*target) != "" {
 
 		var err error
 
-		rp, err = makeReverseProxy(*target, *targetHost, *targetInsecureSkipVerify)
 
+		rp, err = makeReverseProxy(*target, *targetSNI, *targetHost, *targetInsecureSkipVerify)
 
 		if err != nil {
 
 			log.Fatalf("can't make reverse proxy: %v", err)
 
 		}

+ 1 - 0
docs/docs/CHANGELOG.md
查看文件 

@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added SearXNG instance tracker whitelist policy
 
 - Added Qualys SSL Labs whitelist policy
 
 - Fixed cookie deletion logic ([#520](https://github.com/TecharoHQ/anubis/issues/520), [#522](https://github.com/TecharoHQ/anubis/pull/522))
 
+- Add `--target-sni` flag/envvar to allow changing the value of the TLS handshake hostname in requests forwarded to the target service.
 
 
 ## v1.18.0: Varis zos Galvus

+ 1 - 0
docs/docs/admin/installation.mdx
查看文件 

@@ -84,6 +84,7 @@ If you don't know or understand what these settings mean, ignore them. These are
 
 
 | Environment Variable          | Default value | Explanation                                                                                                                                         |
 
 | :---------------------------- | :------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------- |
 
+| `TARGET_SNI`                  | unset         | If set, overrides the TLS handshake hostname in requests forwarded to `TARGET`.                                                                     |
 
 | `TARGET_HOST`                 | unset         | If set, overrides the Host header in requests forwarded to `TARGET`.                                                                                |
 
 | `TARGET_INSECURE_SKIP_VERIFY` | `false`       | If `true`, skip TLS certificate validation for targets that listen over `https`. If your backend does not listen over `https`, ignore this setting. |

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5