- DONE Domain Fronting to be blocked on Azure
- HN
- Azure
- two https domains resolve to the same IP address
- eg., (search for site:azureedge.net)
- tmgpulse.azureedge.net
- goodie.azureedge.net
- an SSL request contains of two parts
- SSL headers which contain "SNI"/server name indicator
- encrypted HTTP content
- if the content of the SNI and
Host
header of the HTTP content do not match - architecturally, this seems like
- azure uses SNI for "nothing"
- post termination, azure uses
Host
header for content delivery
- this means, if a "firewall" wants to block "https://badwebsite.azureedge.net", a bad actor can get around this by
- SNI hello to "https://knowngoodwebsite.azureedge.net"
- HTTP request with
Host: badwebsite.azureedge.net
- and hope azure serves the request
- this can be used to get around firewalls only doing SNI inspection which would pose a problem for corporate environments and state actors (?)
- on a similar note,
- Caddy has the option strict_sni_host
- Nginx requires some variable matching? wat
- eg., (search for site:azureedge.net)
Created
May 1, 2023 14:17
-
-
Save thewisenerd/5360efc067ab2b0074f217891fa7eb1e to your computer and use it in GitHub Desktop.
domain-fronting-azure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment