re-add cert validation host

bubble-server/src/main/java/bubble/server/BubbleConfiguration.java

@@ -215,6 +215,7 @@ public class BubbleConfiguration extends PgRestServerConfiguration
 
     @Getter @Setter private LegalInfo legal = new LegalInfo();
     @Getter @Setter private AppLinks appLinks = new AppLinks();
+    @Getter @Setter private String certificateValidationHost;
 
     @Override @JsonIgnore public Handlebars getHandlebars() { return BubbleHandlebars.instance.getHandlebars(); }
 

bubble-server/src/main/resources/ansible/roles/bubble/files/bubble_role.json

@@ -37,7 +37,9 @@
     {"name": "app_link_android", "value": "[[appLinks.android]]"},
     {"name": "app_link_windows", "value": "[[appLinks.windows]]"},
     {"name": "app_link_macosx", "value": "[[appLinks.macosx]]"},
-    {"name": "app_link_linux", "value": "[[appLinks.linux]]"}
+    {"name": "app_link_linux", "value": "[[appLinks.linux]]"},
+
+    {"name": "cert_validation_host", "value": "[[configuration.certificateValidationHost]]"}
   ],
   "optionalConfigNames": ["restore_key", "restore_timeout", "error_url", "error_key", "error_env"]
 }

bubble-server/src/main/resources/ansible/roles/bubble/templates/bubble.env.j2

@@ -20,3 +20,5 @@ export APP_LINK_ANDROID={{ app_link_android }}
 export APP_LINK_WINDOWS={{ app_link_windows }}
 export APP_LINK_MACOSX={{ app_link_macosx }}
 export APP_LINK_LINUX={{ app_link_linux }}
+
+export CERT_VALIDATION_HOST={{ cert_validation_host }}

bubble-server/src/main/resources/ansible/roles/mitmproxy/files/bubble_role.json

@@ -11,6 +11,7 @@
     {"name": "sage_ip6", "value": "[[sageNode.ip6]]"},
     {"name": "cert_name", "value": "bubble-[[network.shortId]]"},
     {"name": "cert_org", "value": "Bubble [[network.shortId]]"},
-    {"name": "cert_cn", "value": "[[network.certCNAME]]"}
+    {"name": "cert_cn", "value": "[[network.certCNAME]]"},
+    {"name": "cert_validation_host", "value": "[[configuration.certificateValidationHost]]"}
   ]
 }

bubble-server/src/main/resources/ansible/roles/mitmproxy/templates/bubble_config.py.j2

@@ -6,3 +6,4 @@ bubble_ssl_port = '{{ ssl_port }}'
 bubble_sage_host = '{{ sage_host }}'
 bubble_sage_ip4 = '{{ sage_ip4 }}'
 bubble_sage_ip6 = '{{ sage_ip6 }}'
+cert_validation_host = '{{ cert_validation_host }}'

bubble-server/src/main/resources/bubble-config.yml

@@ -109,3 +109,5 @@ appLinks:
       windows: {{APP_LINK_WINDOWS}}
       macosx: {{APP_LINK_MACOSX}}
       linux: {{APP_LINK_LINUX}}
+
+certificateValidationHost: {{CERT_VALIDATION_HOST}}

bubble-server/src/main/resources/packer/roles/mitmproxy/files/bubble_conn_check.py

@@ -28,7 +28,7 @@ from mitmproxy.exceptions import TlsProtocolException
 from mitmproxy.net import tls as net_tls
 
 from bubble_api import bubble_log, bubble_conn_check, bubble_activity_log, redis_set
-from bubble_config import bubble_sage_host, bubble_sage_ip4, bubble_sage_ip6
+from bubble_config import bubble_sage_host, bubble_sage_ip4, bubble_sage_ip6, cert_validation_host
 import redis
 import json
 import subprocess
@@ -210,6 +210,10 @@ def next_layer(next_layer):
             bubble_log('next_layer: enabling passthru for server='+server_addr+' because security_level='+security_level+' for client='+client_addr)
             check = FORCE_PASSTHRU
 
+        elif fqdns is not None and len(fqdns) == 1 and cert_validation_host == fqdns[0]:
+            bubble_log('next_layer: NOT enabling passthru for server='+server_addr+' because fqdn is cert_validation_host ('+cert_validation_host+') for client='+client_addr)
+            return
+
         elif security_level == SEC_STD and no_fqdns:
             bubble_log('next_layer: enabling passthru for server='+server_addr+' because no FQDN found and security_level='+security_level+' for client='+client_addr)
             check = FORCE_PASSTHRU