Is there a reliable way to check the clients requested destination domain within a TLS connection?
I know I could use req_ssl_sni but the problem is that not all browsers support it. I would like to forbid clients to connect to defined sites, but I wont like to block them on IP. My aim is to block them on the requested SNI, CN of the Server’s Cert or something like that. Do u have an idea?
You can’t block the client based on the server cert’s CN, because that is data the server provides, so that doesn’t make any sense.
Are you terminating SSL on haproxy? You could just block based on HTTP then, the host header for example.
Thanks for your reply!
No I am not terminating SSL, i have configured haproxy as a forwarding proxy in TCP mode.
Of course i can not block the Client before i’ve got the CN of the server. This should be happen after the server has sent his cert. But is there a way to get the CN of the backend’s certificate? Something like ssl_c_i_dn(CN) but just of the server’s side?
What you are saying doesn’t make any sense.
When your client does not provide any SNI, your server has to provide a default certificate, and that will always contain the same exact CN for everyone. So you either blocking everyone or no one, but you don’t have to look at the CN for that.
I have got any local servers.
I use haproxy as transparentproxy for my clients in my private network
So all traffic which goes out will be handled by haproxy.
So my aim is to block some https supported sites like facebook or idk
I see. I’m afraid I don’t have a solution for you here. Haproxy is primarily a reverse proxy. Although it is possible to use it as a forward proxy, you will hit all kinds of limitations and missing features in this regard.