SSL Reject Handshake for unknown Host

[kelvinwijaya]

Summary

Is there feature or configuration that I can use to block ssl handshake when the client does not present proper hostname

I did readup nginx has this feature call ssl_reject_handshake that can be toggled

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake

[bungle]

I think we would need more information on what is to be considered proper (e.g. those that do not have sni entity + those that are not specified as hosts in routes...).

[kelvinwijaya]

Hi @bungle

Thanks for your reply

Reason i would think this option will be helpful is because currently there is no clear separation between IP-based and host name-based virtual servers. When client call kong endpoint with IP, currently it is not blocking, ssl handshake will be established, although with some configuration below, I managed to block the traffic by returning HTTP error code

if we can have the directive for ssl_reject_handshake, this is even better as the blocking can been activated at SSL handshake layer

apiVersion: v1
kind: ConfigMap
metadata:
  name: kong-server-blocks
  namespace: kong
data:
  ssl-listener.kong.conf: |
    # Disable/Block direct access to IP for port 80
    server {
        listen 8000 default_server;
        server_name _;
        return 500;
    }
    # Disable/Block direct access to IP for port 443
    server {
        listen 8443 ssl http2 default_server;
        server_name _;
        ssl_certificate     /usr/local/kong/ssl/kong-default.crt;
        ssl_certificate_key /usr/local/kong/ssl/kong-default.key;
        return 500;
    }

[gszr]

@kelvinwijaya You might be able to use Nginx directive injection for this use-case. For example, assuming you want to inject that directive into the Proxy server block, you could use nginx_proxy_ssl_reject_handshake=on.