commit b6672b547ad6cc1c8329bece62e9d99df28d1b46
author Willy Tarreau <w@1wt.eu> Mon Dec 12 17:23:41 2011 +0100
committer Willy Tarreau <w@1wt.eu> Mon Dec 12 17:26:23 2011 +0100
tree 406382e907d971f880af6585099d1a698a460366
parent 82a04566ecbb3e8e01b657240d5031e5faa1310e

MINOR: acl: add support for TLS server name matching using SNI

Server Name Indication (SNI) is a TLS extension which makes a client
present the name of the server it is connecting to in the client hello.
It allows a transparent proxy to take a decision based on the beginning
of an SSL/TLS stream without deciphering it.

The new ACL "req_ssl_sni" matches the name extracted from the TLS
handshake against a list of names which may be loaded from a file if
needed.

doc/configuration.txt

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8aeeb27..0066ee9 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7598,6 +7598,12 @@
 through TCP request content inspection. Please see the "tcp-request content"
 keyword for more detailed information on the subject.
 
+rep_ssl_hello_type <integer>
+  Returns true when data in the response buffer looks like a complete SSL (v3
+  or superior) hello message and handshake type is equal to <integer>.
+  This test was designed to be used with TCP response content inspection: a
+  SSL session ID may be fetched.
+
 req_len <integer>
   Returns true when the length of the data in the request buffer matches the
   specified range. It is important to understand that this test does not
@@ -7633,6 +7639,29 @@
   of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
   cookies.
 
+req_ssl_hello_type <integer>
+  Returns true when data in the request buffer looks like a complete SSL (v3
+  or superior) hello message and handshake type is equal to <integer>.
+  This test was designed to be used with TCP request content inspection: an
+  SSL session ID may be fetched.
+
+req_ssl_sni <string>
+  Returns true when data in the request buffer looks like a complete SSL (v3
+  or superior) client hello message with a Server Name Indication TLS extension
+  (SNI) matching <string>. SNI normally contains the name of the host the
+  client tries to connect to (for recent browsers). SNI is useful for allowing
+  or denying access to certain hosts when SSL/TLS is used by the client. This
+  test was designed to be used with TCP request content inspection. If content
+  switching is needed, it is recommended to first wait for a complete client
+  hello (type 1), like in the example below.
+
+  Examples :
+     # Wait for a client hello for at most 5 seconds
+     tcp-request inspect-delay 5s
+     tcp-request content accept if { req_ssl_hello_type 1 }
+     use_backend bk_allow if { req_ssl_sni -f allowed_sites }
+     default_backend bk_sorry_page
+
 req_ssl_ver <decimal>
   Returns true when data in the request buffer look like SSL, with a protocol
   version matching the specified range. Both SSLv2 hello messages and SSLv3
@@ -7642,18 +7671,6 @@
   that TLSv1 is announced as SSL version 3.1. This test was designed to be used
   with TCP request content inspection.
 
-req_ssl_hello_type <integer>
-  Returns true when data in the request buffer looks like a complete SSL (v3
-  or superior) hello message and handshake type is equal to <integer>.
-  This test was designed to be used with TCP request content inspection: an
-  SSL session ID may be fetched.
-
-rep_ssl_hello_type <integer>
-  Returns true when data in the response buffer looks like a complete SSL (v3
-  or superior) hello message and handshake type is equal to <integer>.
-  This test was designed to be used with TCP response content inspection: a
-  SSL session ID may be fetched.
-
 wait_end
   Waits for the end of the analysis period to return true. This may be used in
   conjunction with content analysis to avoid returning a wrong verdict early.