Commit Diff
Diff:
1b626eae837ad61f2cd56fbd310ab9397b522c3a
1cdea97b6c74ec86e202431a208b5c99343f7273
Commit:
1cdea97b6c74ec86e202431a208b5c99343f7273
Tree:
630fa77c88a4071706e094912d17a56144355672
Author:
Omar Polo <op@omarpolo.com>
Date:
Sun Jan 30 10:14:44 2022 UTC
Message:
allow using a custom hostname for SNI during proxying

add a `sni' option for the `proxy' block: the given name is used instead
of the one extracted by the `relay-to' rule.
commit - 1b626eae837ad61f2cd56fbd310ab9397b522c3a
commit + 1cdea97b6c74ec86e202431a208b5c99343f7273
blob - b9f997020363f4ffcab3c88d14cba9cee46477e8
blob + 09293f799a4b046ae685c292c58fd9a13de6d743
--- gmid.1
+++ gmid.1
@@ -472,6 +472,12 @@ signed by the CA certificate in
Allow the proxying only from clients that provide a certificate
signed by the CA certificate in
.Ar file .
+.It Ic sni Ar hostname
+Use the given
+.Ar hostname
+instead of the one extracted from the
+.Ic relay-to
+rule for the TLS handshake with the proxied gemini server.
.It Ic use-tls Ar bool
Specify whether to use TLS when connecting to the proxied host.
Enabled by default.
blob - 2abdce04ab1750b7fbdebaafa01606ff9063ac32
blob + b2aa170ec80fee36d5c742ddad81606e572ffb70
--- gmid.c
+++ gmid.c
@@ -338,6 +338,7 @@ free_config(void)
free(p->match_proto);
free(p->match_host);
free(p->host);
+ free(p->sni);
tls_unload_file(p->cert, p->certlen);
tls_unload_file(p->key, p->keylen);
free(p);
blob - 1dde21a616c047ea0605f1e9303d0df9417be29d
blob + a6741bf4fd67f104871baa9f9210d8b9d2eee535
--- gmid.h
+++ gmid.h
@@ -105,6 +105,7 @@ struct proxy {
char *host;
const char *port;
+ char *sni;
int notls;
uint32_t protocols;
int noverifyname;
blob - 57cf3f5c72c7f07008879881d2a19bf18cb0cbb0
blob + d24005d6f7700dd639ac3a06de950dc67d8bf26f
--- parse.y
+++ parse.y
@@ -127,7 +127,7 @@ typedef struct {
%token OCSP OFF ON
%token PARAM PORT PREFORK PROTO PROTOCOLS PROXY
%token RELAY_TO REQUIRE RETURN ROOT
-%token SERVER SPAWN STRIP
+%token SERVER SNI SPAWN STRIP
%token TCP TOEXT TYPE
%token USE_TLS USER
%token VERIFYNAME
@@ -357,6 +357,11 @@ proxy_opt : CERT string {
if ((proxy->reqca = load_ca($4)) == NULL)
yyerror("couldn't load ca cert: %s", $4);
free($4);
+ }
+ | SNI string {
+ only_once(proxy->sni, "proxy sni");
+ free(proxy->sni);
+ proxy->sni = $2;
}
| USE_TLS bool {
proxy->notls = !$2;
@@ -497,6 +502,7 @@ static struct keyword {
{"return", RETURN},
{"root", ROOT},
{"server", SERVER},
+ {"sni", SNI},
{"spawn", SPAWN},
{"strip", STRIP},
{"tcp", TCP},
blob - 97d32578cf96864ca118af922cfd31755de4ed64
blob + 1a30531dd3cd6492113b4aca40aede35641985a2
--- proxy.c
+++ proxy.c
@@ -297,6 +297,7 @@ proxy_setup_tls(struct client *c)
{
struct proxy *p = c->proxy;
struct tls_config *conf = NULL;
+ const char *hn;
if ((conf = tls_config_new()) == NULL)
return -1;
@@ -325,7 +326,9 @@ proxy_setup_tls(struct client *c)
if (tls_configure(c->proxyctx, conf) == -1)
goto err;
- if (tls_connect_socket(c->proxyctx, c->pfd, p->host) == -1)
+ if ((hn = p->sni) == NULL)
+ hn = p->host;
+ if (tls_connect_socket(c->proxyctx, c->pfd, hn) == -1)
goto err;
c->proxyevset = 1;
Omar Polo