fix: sniGuard

jonssonyan · Oct 8, 2024 · 4d912e9 · 4d912e9
1 parent 93478cc
commit 4d912e9
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 0 deletions.
diff --git a/frontend/src/api/config/types.ts b/frontend/src/api/config/types.ts
@@ -25,6 +25,7 @@ export interface Hysteria2ServerConfig {
   tls?: {
     cert: string;
     key: string;
+    sniGuard?: string;
   };
   acme?: {
     domains: string[];
@@ -137,6 +138,7 @@ export const defaultHysteria2ServerConfig: Hysteria2ServerConfig = {
   tls: {
     cert: "",
     key: "",
+    sniGuard: "",
   },
   acme: {
     domains: [],

diff --git a/frontend/src/lang/package/en.ts b/frontend/src/lang/package/en.ts
@@ -172,6 +172,8 @@ export default {
       tls: {
         cert: "The path to the Cert file.",
         key: "The path to the Key file.",
+        sniGuard:
+          'Verify the SNI provided by the client. Accept the connection only when it matches what\'s in the certificate. Terminate the TLS handshake otherwise. Set to strict to enforce this behavior. Set to disable to disable this entirely. The default is dns-san, which enables this feature only when the certificate contains the "Subject Alternative Name" extension with a domain name in it.',
       },
       acme: {
         domains: "Domains",

diff --git a/frontend/src/lang/package/zh-cn.ts b/frontend/src/lang/package/zh-cn.ts
@@ -171,6 +171,8 @@ export default {
       tls: {
         cert: "CERT 路径",
         key: "KEY 路径",
+        sniGuard:
+          "验证客户端发送的 SNI。 与证书信息匹配时才建立连接， 否则终止 TLS 握手。 设置为 strict 以启用该功能。 设置为 disable 以禁用该功能。 默认为 dns-san， 仅当证书中包含「证书主题背景的备用名称」扩展且该扩展中包含域名时才启用该功能。",
       },
       acme: {
         domains: "域名",

diff --git a/frontend/src/views/hysteria/list/index.vue b/frontend/src/views/hysteria/list/index.vue
@@ -188,6 +188,26 @@
                 <el-input v-model="dataForm.tls.key" clearable />
               </el-form-item>
             </el-tooltip>
+            <el-tooltip
+              v-if="tlsType === 'tls'"
+              :content="$t('hysteria.config.tls.sniGuard')"
+              placement="bottom"
+            >
+              <el-form-item label="sniGuard" prop="tls.sniGuard">
+                <el-select
+                  v-model="dataForm.tls.sniGuard"
+                  style="width: 100%"
+                  clearable
+                >
+                  <el-option
+                    v-for="item in tlsSniGuards"
+                    :key="item"
+                    :label="item"
+                    :value="item"
+                  />
+                </el-select>
+              </el-form-item>
+            </el-tooltip>
             <el-tooltip
               v-if="tlsType === 'acme'"
               :content="$t('hysteria.config.acme.domains')"
@@ -1032,6 +1052,7 @@ const dataFormRules = {
 };
 
 const tlsTypes = ref<string[]>(["tls", "acme"]);
+const tlsSniGuards = ref<string[]>(["dns-san", "disable", "strict"]);
 const aclTypes = ref<string[]>(["file", "inline"]);
 const acmeCas = ref<string[]>(["zerossl", "letsencrypt"]);
 const acmeTypes = ref<string[]>(["http", "tls", "dns"]);