tls: Add insecure_disable_sni_matching subdirective (#3075)

* Disable StrictHostMatching for single server configs * Add the insecure_disable_sni_matching directive * Do not override insecure_disable_sni_matching * Remove comment
2026-05-24 08:26:58 -04:00 · 2020-02-25 16:04:59 -07:00
parent c953d17bcc
commit 4fbdd23283
5 changed files with 16 additions and 18 deletions
--- a/caddyhttp/httpserver/server.go
+++ b/caddyhttp/httpserver/server.go
@@ -442,11 +442,12 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 		r.URL = trimPathPrefix(r.URL, pathPrefix)
 	}

+	// if not disabled via `insecure_disable_sni_matching`
 	// enforce strict host matching, which ensures that the SNI
 	// value (if any), matches the Host header; essential for
 	// sites that rely on TLS ClientAuth sharing a port with
 	// sites that do not - if mismatched, close the connection
-	if vhost.StrictHostMatching && r.TLS != nil &&
+	if !vhost.TLS.InsecureDisableSNIMatching && r.TLS != nil &&
 		strings.ToLower(r.TLS.ServerName) != strings.ToLower(hostname) {
 		r.Close = true
 		log.Printf("[ERROR] %s - strict host matching: SNI (%s) and HTTP Host (%s) values differ",