SNI: reset to default server if requested host was not found.

Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.

An example of potentially unsafe configuration:

  server {
      listen 443 ssl default_server;
      ...
  }

  server {
      listen 443;
      server_name example.com;

      location / {
          proxy_pass http://$host;
      }
  }

Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 44c5009bd692b72ffab57b7c47a6b0ec2b135c69..bb4cacabd158f234dcf499f798a79570d1e483cb 100644 (file)
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1869,6 +1869,17 @@ ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
         return NGX_ERROR;
     }
 
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+
+    if (hc->ssl_servername) {
+        if (rc == NGX_DECLINED) {
+            cscf = hc->addr_conf->default_server;
+            rc = NGX_OK;
+        }
+    }
+
+#endif
+
     if (rc == NGX_DECLINED) {
         return NGX_OK;
     }