Httpverifysni #17223
Httpverifysni #17223
Conversation
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
I'm still not convinced why this has to be a separate filter. If 2. RBAC works and just no one adopt, we should just add a FAQ or a suggestion in SNI config for that? |
|
+1 let's just better document using RBAC. /wait |
|
I give it try in RBAC: there is something missing. Please advice if I don't fully get the ability of rbac
|
|
RBAC seems like the right place to do this, so let's propose changes to RBAC to make this possible. I don't know why we would have a new filter for this. The alternative would be that this is so important that we make this a core security feature. /wait |
What do you think if put the Suppose we have 2 filter chains, one for for SNI=*.example.com and one for SNI=admin.example.com The
But if anyone want to additionally allow SNI=foo.example.com Host=bar.example.com the user should use RBAC. |
|
If we believe this is a serious enough security problem that it's hitting multiple people, I think having this be a core feature is reasonable. I think your proposal of how to handle is also reasonable. I'm OK with adding a core feature for this, but I would like to here from @alyssawilk @antoniovicente @htuch @yanavlasov on this. If we do add the core feature my preference would be to make this secure by default (with runtime override for the default). |
|
"The attack could provide a guest.example.com SNI and an admin.example.com header." So I think by default Envoy should enforce that host header is allowed by the cert served (admin.foo.com should not be served under bar.foo.com cert but should be allowed under *.foo.com cert). I'd be all for that being on by default, runtime guarded off if that's not the current behavior. But if you want to serve *.foo.com certs and reject admin.foo.com I'd think you could just have normal route actions and static response "disallowed". Either way I'm not sure why additional configuration should be required? |
I think the only reason would be if this change breaks some deployment. I think we could start with a runtime guard though and see if anyone complains. |
|
Yeah, let's runtime guard, and but folks complain my fail-over would be adding deny routes over additional config. I don't think it would necessarily double route memory but we can debate that if runtime guarding exposes problems :-) |
Yeah agreed we can cross this bridge later. My preference would actually be to build this into RBAC/WAF vs. new route matching but we can discuss later. |
+1 That's a sub-issue. As long as a runtime guard is provided to bridge the migration people should be good.
That works for sure as mitigation. My only concern is that this is not practical. The common route configure between admin.example.com From the Envoy config level, they differs only at listener config.
|
|
ah, so it's not just that you want to make sure admin.foo.com isn't served under cert bar.foo.com, you want to make sure that if the cert is *.foo.com and you sni for bar.foo.com you only can send requests for bar.foo.com? That's certainly something we don't want to support by default, I believe all the major browsers (and Envoy itself will soon) pool admin.foo.com into the same connection with bar.foo.com if the cert allows and DNS matches. The 421 is supported in the spec (https://datatracker.ietf.org/doc/html/rfc7540#section-9.1.1) Edit: nope I'm wrong, it is at least supported in Chrome. |
|
I create dedicated issue #17258 for certs dns names so we can focus on solutions of SNI. I am closing this PR to propose a RBAC based solution for SNI |
Commit Message:
Background
The SNI of a connection is persistent but the host header of http request within that connection can be different.
The attack could provide a guest.example.com SNI and an admin.example.com header.
There is risk that route config does not explicitly deny the admin.example.com host,
I have seen 3 different orgs discover the issue and used their own lua filter as mitigation.
Alternatives
It's likely that 2 route configs have thousands routes the same but only 1 or 2 for deny. This almost double the route config items in memory.
It seems possible but I don't see anyone adopting it as mitigation.
e.g. always allow *.exmaple.com and use the RBAC or route to execute the deny.
This is need a restructure of configs from listener - filter chain - HCM - http route config.
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
Fixes #6767
[Optional Deprecated:]
[Optional API Considerations:]