caddy: HTTP3 + `strict_sni_host` always results in `403` status

I use curl -I --http3 https://localhost/index

when strict_sni_host off, status is 200 from reverse_proxy when strict_sni_host on, status is 403 from caddy

my Caddyfile:

{
	auto_https disable_redirects

	servers {
		protocol {
			experimental_http3
			strict_sni_host
		}
	}
}

localhost {
	reverse_proxy localhost:3000
}

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 23 (17 by maintainers)

Most upvoted comments

I’m glad to hear that. Making ConnectionState work during the handshake was no fun! (Code: https://github.com/quic-go/qtls-go1-20/commit/352e42f14f1bb2ddc88be1305c6f9d25d49916bd)

+2
marten-seemann on Feb 4, 2023

Now that https://github.com/quic-go/quic-go/pull/3636 is merged and released, we might be able to fix this one.

+2
francislavoie on Feb 2, 2023

Actually, I think this is fixed for free (no additional code changes). I can’t replicate the problem with the latest version of quic-go. I get successful responses with strict_sni_host turned on (and the Host is correctly matching SNI), whereas it fails on v2.6.2.

+1
francislavoie on Feb 4, 2023

The right fix would be to fix crypto/tls, such that one can call ConnectionState() at any time during the handshake. Unfortunately, that’s not an easy thing to do.

Alternatively, we could fill in a fake tls.ConnectionState, that at least sets the ServerName.

+1
marten-seemann on Aug 23, 2021
Read more comments on GitHub
← caddy: http/2 transport failing for gRPC
caddy: HTTP3 Client Certificate 421 →