enforcementHandler is an implicit middleware which performs standard checks before executing the HTTP middleware chain.
(w http.ResponseWriter, r *http.Request, next Handler)
| 522 | // enforcementHandler is an implicit middleware which performs |
| 523 | // standard checks before executing the HTTP middleware chain. |
| 524 | func (s *Server) enforcementHandler(w http.ResponseWriter, r *http.Request, next Handler) error { |
| 525 | // enforce strict host matching, which ensures that the SNI |
| 526 | // value (if any), matches the Host header; essential for |
| 527 | // servers that rely on TLS ClientAuth sharing a listener |
| 528 | // with servers that do not; if not enforced, client could |
| 529 | // bypass by sending benign SNI then restricted Host header |
| 530 | if s.StrictSNIHost != nil && *s.StrictSNIHost && r.TLS != nil { |
| 531 | hostname, _, err := net.SplitHostPort(r.Host) |
| 532 | if err != nil { |
| 533 | hostname = r.Host // OK; probably lacked port |
| 534 | } |
| 535 | if !strings.EqualFold(r.TLS.ServerName, hostname) { |
| 536 | err := fmt.Errorf("strict host matching: TLS ServerName (%s) and HTTP Host (%s) values differ", |
| 537 | r.TLS.ServerName, hostname) |
| 538 | r.Close = true |
| 539 | return Error(http.StatusMisdirectedRequest, err) |
| 540 | } |
| 541 | } |
| 542 | return next.ServeHTTP(w, r) |
| 543 | } |
| 544 | |
| 545 | // listenersUseAnyPortOtherThan returns true if there are any |
| 546 | // listeners in s that use a port which is not otherPort. |
no test coverage detected