[GH-ISSUE #5177] Server validation rejects custom domains that merely contain subDomainHost as substring #4043

New issue

Closed

opened 2026-05-05 14:33:50 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:33:50 -06:00

Owner

Originally created by @zesty-clawd on GitHub (Feb 13, 2026).
Original GitHub issue: https://github.com/fatedier/frp/issues/5177

Summary

When subDomainHost is enabled on frps, ValidateProxyConfigurerForServer rejects custom domains that contain the subDomainHost as a substring even when they are not subdomains. This blocks legitimate custom domains such as fooexample.com.cn for subDomainHost = example.com.

Where

pkg/config/v1/validation/proxy.go in validateDomainConfigForServer:

if s.SubDomainHost != "" && len(strings.Split(s.SubDomainHost, ".")) < len(strings.Split(domain, ".")) {
    if strings.Contains(domain, s.SubDomainHost) {
        return fmt.Errorf("custom domain [%s] should not belong to subdomain host [%s]", domain, s.SubDomainHost)
    }
}

Repro

frps.toml

subDomainHost = "example.com"

frpc.toml

serverAddr = "127.0.0.1"
serverPort = 7000

[[proxies]]
name = "web"
type = "http"
localPort = 8080
customDomains = ["fooexample.com.cn"]

Start frps then frpc.

Actual

frpc fails with: custom domain [fooexample.com.cn] should not belong to subdomain host [example.com]

Expected

fooexample.com.cn is not a subdomain of example.com (it ends with .com.cn). It should be accepted.

Why it happens

The validation uses strings.Contains(domain, s.SubDomainHost), which treats any substring match as a subdomain. This causes false positives for domains that contain the subDomainHost string but are not suffix matches.

Suggested fix

Use a suffix + dot-boundary check instead of substring:

if strings.HasSuffix(domain, "."+s.SubDomainHost) {
    // reject
}

(and possibly normalize/trim trailing dots before comparison).

Impact

Legitimate custom domains get rejected whenever their full name contains subDomainHost as a substring (e.g. fooexample.com.cn, bar-example.com.net, etc.), which is surprising and blocks valid deployments.

Originally created by @zesty-clawd on GitHub (Feb 13, 2026). Original GitHub issue: https://github.com/fatedier/frp/issues/5177 ### Summary When `subDomainHost` is enabled on frps, `ValidateProxyConfigurerForServer` rejects *custom* domains that **contain** the subDomainHost as a substring even when they are **not** subdomains. This blocks legitimate custom domains such as `fooexample.com.cn` for `subDomainHost = example.com`. ### Where `pkg/config/v1/validation/proxy.go` in `validateDomainConfigForServer`: ```go if s.SubDomainHost != "" && len(strings.Split(s.SubDomainHost, ".")) < len(strings.Split(domain, ".")) { if strings.Contains(domain, s.SubDomainHost) { return fmt.Errorf("custom domain [%s] should not belong to subdomain host [%s]", domain, s.SubDomainHost) } } ``` ### Repro 1) frps.toml ```toml subDomainHost = "example.com" ``` 2) frpc.toml ```toml serverAddr = "127.0.0.1" serverPort = 7000 [[proxies]] name = "web" type = "http" localPort = 8080 customDomains = ["fooexample.com.cn"] ``` 3) Start frps then frpc. ### Actual frpc fails with: `custom domain [fooexample.com.cn] should not belong to subdomain host [example.com]` ### Expected `fooexample.com.cn` is **not** a subdomain of `example.com` (it ends with `.com.cn`). It should be accepted. ### Why it happens The validation uses `strings.Contains(domain, s.SubDomainHost)`, which treats any substring match as a subdomain. This causes false positives for domains that *contain* the subDomainHost string but are not suffix matches. ### Suggested fix Use a suffix + dot-boundary check instead of substring: ```go if strings.HasSuffix(domain, "."+s.SubDomainHost) { // reject } ``` (and possibly normalize/trim trailing dots before comparison). ### Impact Legitimate custom domains get rejected whenever their full name contains `subDomainHost` as a substring (e.g. `fooexample.com.cn`, `bar-example.com.net`, etc.), which is surprising and blocks valid deployments.