docs: strict_sni_host options

2025-06-22 14:10:32 -04:00 · 2022-03-09 03:32:23 -05:00 · 2022-03-09 03:32:23 -05:00 · 9f35c4fe2d
commit 9f35c4fe2d
parent 10496e59a4
1 changed files with 4 additions and 2 deletions
--- a/src/docs/markdown/caddyfile/options.md
+++ b/src/docs/markdown/caddyfile/options.md
@ -102,7 +102,7 @@ Possible options are:
 		protocol {
 			allow_h2c
 			experimental_http3
-			strict_sni_host
+			strict_sni_host [on|insecure_off]
 		}
 	}

@ -351,7 +351,9 @@ If you wish to _not_ have these headers redacted, you may enable the `log_creden

 - **experimental_http3** enables experimental draft HTTP/3 support. Note that HTTP/3 is not a finished spec and client support is extremely limited. This option will go away in the future. _This option is not subject to compatibility promises._

- **strict_sni_host** require that a request's `Host` header matches the value of the ServerName sent by the client's TLS ClientHello; often a necessary safeguard when using TLS client authentication.
+- **strict_sni_host** require that a request's `Host` header matches the value of the ServerName sent by the client's TLS ClientHello; often a necessary safeguard when using TLS client authentication. If there's a mismatch, an HTTP status `421 Misdirected Request` response is written to the client.
+  
+  This option will be implicitly turned on if [client authentication](/docs/caddyfile/directives/tls#client_auth) is configured. This disallow TLS client auth bypass (domain fronting) which could otherwise be exploited by sending an unprotected SNI value during a TLS handshake, then putting a protected domain in the Host header after establishing connection. This is a safe default, but you may explicitly turn it off with `insecure_off`, for example in the case of running a proxy where domain fronting is desired and access is not restricted based on hostname.