Skip to content

enable auto setting of SNI based on host header #1129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2025
Merged

enable auto setting of SNI based on host header #1129

merged 1 commit into from
Sep 25, 2025

Conversation

@jmcclelland
Copy link
Contributor

@jmcclelland jmcclelland commented Sep 16, 2025
edited
Loading

Enable SNI to be auto set to the Host header.

This is a proof of concept for resolving #424. I am happy to continue polishing it if it seems like the right way to go.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)
  • All of my commits have verified signatures

Xe
Xe approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@Xe Xe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, do you know how I would go about testing this?

@jmcclelland
Copy link
Contributor Author

jmcclelland commented Sep 16, 2025

I'm not sure how to do it in a simple way. I am manually testing by running an Apache2 backend with:

  • CVE-2025-23048 resolved (e.g. apache2 package in Debian Bullseye version 2.4.65-1~deb12u or Debian Trixie version 2.4.65-2) so apache2 enforces a requirement that an SNI host is provided.
  • More than one virtual host configured with different ServerName's but sharing the same IP/Port combo (I'm not sure if this is required)

The anubis configuration includes an https target e.g.:

TARGET=https://1.2.3.4
TARGET_INSECURE_SKIP_VERIFY=true

Without this patch, I get error 421:

Misdirected Request:
    The client needs a new connection for this request as the
    requested host name does not match the Server Name Indication
    (SNI) in use for this connection.

With the patch it works (and also I can remove TARGET_INSECURE_SKIP_VERIFY).

@jmcclelland
Copy link
Contributor Author

jmcclelland commented Sep 17, 2025

@Xe I just polished up the commit to add more documentation. I'm a bit at a loss as to how to write a test for it (sorry, go is not my strong suit) - but if you can point me to any existing tests that check backend end connections maybe I can piece something together.

@jmcclelland
enable auto setting of SNI based on host header
50a837b 
With this change, setting targetSNI to 'auto' causes anubis to
use the request host name as the SNI name, allowing multiple sites
to use the same anubis instance and same backend, while still securely
connecting to the backend via https.

See TecharoHQ#424
@Xe Xe enabled auto-merge (squash) September 25, 2025 08:02
@Xe Xe merged commit 75ea1b6 into TecharoHQ:main Sep 25, 2025
11 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Oct 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xe Xe Xe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmcclelland @Xe