Awesome

ngx-strict-sni

Strict SNI validator for Nginx

Abstruct

The ngx_http_ssl_strict_sni module is a validator of the integrity of SNI and the Host header. This blocks "SNI spoofing" to virtual hosts. Without ssl, this module has no effects.

Description

Nginx doesn't and won't check the integrity of SNI and Host header, resulting to allowing "SNI spoofing" between virtual hosts.

Reproduction: let two virtual host aaa.com and bbb.com listen on 443 as https servers with their names.

nginx.conf:

server{
    server_name aaa.com;
    ...
    root /srv/www/com.aaa;
}
server{
    server_name bbb.com;
    ...
    root /srv/www/com.bbb;
    strict_sni: on; # here we enable this module
}

/srv/www/com.aaa/foo.txt:

Here is aaa.com.

/srv/www/com.bbb/foo.txt:

Here is bbb.com.

With normal requests, we get /foo.txt in the server specified in the domain:

$ curl https://aaa.com/foo.txt
Here is aaa.com.
$ curl https://bbb.com/foo.txt
Here is bbb.com.

However, we cat get aaa.com/foo.txt with URL bbb.com/foo.txt, by adding false Host header:

$ curl -H "Host: aaa.com" https://bbb.com/foo.txt
Here is aaa.com. # <-- intruded!

This module adds the validation step of SNI and Host header, and when the request violate the rule, it immediately return Status 421 Misdirected Request:

$ curl -H "Host: bbb.com" https://aaa.com/foo.txt
<html>
<head><title>421 Misdirected Request</title></head>
<body>
<center><h1>421 Misdirected Request</h1></center>
<hr><center>nginx</center>
</body>
</html>

This explanation is written based on the article below:

NGINXリバースプロキシでTLS Server Name Indication (SNI)と異なるドメイン名のバックエンドホストへルーティングできちゃう件について

Installation

Currently, only the Debian repository for Debian is available. The package name is changed to libnginx-mod-http-ssl-strict-sni following the standard name style of Nginx modules.

Debian

Supported Codename: bullseye, bookworm

Supported Architecture: arm64, amd64

[!IMPORTANT] 2024/03/28: PGP repository signature added! Existing user should update their apt configuration.

[!IMPORTANT] 2024/04/13: Repository URL changed! Existing user should update the URL written in ngx-strict-sni.list.

curl -fsSL https://jyjyjcr.github.io/ngx-strict-sni/publish/gpg.key.asc | sudo gpg --dearmor -o /etc/apt/keyrings/ngx-strict-sni.gpg
sudo echo "deb [signed-by=/etc/apt/keyrings/ngx-strict-sni.gpg] https://jyjyjcr.github.io/ngx-strict-sni/publish/deb $(cat /etc/os-release|grep VERSION_CODENAME|sed -e 's/^.*=//g') main" > "/etc/apt/sources.list.d/ngx-strict-sni.list"
sudo apt update
sudo apt install libnginx-mod-http-ssl-strict-sni

Directives

strict_sni

Syntax: strict_sni on | off;

Default: strict_sni off;

Context: http, server, location

Use Case

http {
    ...
    strict_sni on; # enable the validator for any https request
    ...
    server{
        server_name strict.com;
        ...
    }
    server{
        server_name loose.com;
        ...
        strict_sni off; # but disable for any https request aimed (not by SNI but Host header) to loose.com
        ...
        location /strict/ {
            strict_sni on; # and re-enable for any to loose.com/strict/
            ...
        }
    }
}

Technology

This module is written in Rust using ngx crate. The original repository is here, and the modified one is here.