You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Bill Stoddard <bi...@wstoddard.com> on 2001/09/14 20:02:45 UTC
301 Redirect through a firewall... Possible to hide the origin server ip address?
Browser hits an Apache server through a firewall with a request like this:
GET /manual HTTP/1.0
manual is a directory which results in the server issuing a redirect thusly
HTTP/1.1 301 Moved Permanently
Date: Fri, 14 Sep 2001 17:37:22 GMT
Server: Apache/1.3.20 (Unix)
Location: http://origin_server/manual/
Connection: close
Content-Type: text/html; charset=iso-8859-1
The origin server sits behind a firewall. The problem is that the Location header field
contains the origin server name, not the name of the firewall, which is a bit of a
security exposure.
I really have no good ideas on how to prevent the location header field from having the
origin_server name/address. Thoughts?
Bill
Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Posted by Ryan Bloom <rb...@covalent.net>.
On Friday 14 September 2001 11:02 am, Bill Stoddard wrote:
> Browser hits an Apache server through a firewall with a request like this:
>
> GET /manual HTTP/1.0
>
> manual is a directory which results in the server issuing a redirect thusly
>
> HTTP/1.1 301 Moved Permanently> Date: Fri, 14 Sep 2001 17:37:22 GMT
> Server: Apache/1.3.20 (Unix)
> Location: http://origin_server/manual/
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> The origin server sits behind a firewall. The problem is that the Location
> header field contains the origin server name, not the name of the firewall,
> which is a bit of a security exposure.
>
> I really have no good ideas on how to prevent the location header field
> from having the origin_server name/address. Thoughts?
This is a config error. Just set ServerName in the config file, and the server
will do the right thing. You _may_ also need to set UseCannonicalName.
Ryan
______________________________________________________________
Ryan Bloom rbb@apache.org
Covalent Technologies rbb@covalent.net
--------------------------------------------------------------
Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Posted by Aaron Bannert <aa...@clove.org>.
On Fri, Sep 14, 2001 at 11:40:57AM -0700, Justin Erenkrantz wrote:
> On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> > If anything, this is a really minor security hole. If an attacker can
> > get into your system merely by knowing the internal names/IPs or your
> > servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> > or set up a virtual-host to accept the name that brought the requests
> > to the firewall (really, it's just a proxy) in the first place (if you
> > don't care about <HTTP/1.1 requests, which is how it works in practice).
>
> No, this is a functional error because the browser will use the location
> field to get the next request (which is not resolvable from the outside
> in most cases with a firewall). Oops.
To whom are you replying? Yes, it's a functional error, but I think
Bill was more concerned that it may expose possibly private internal names.
You and I have experienced this numerous times with the setup at eBuilt.
-aaron
Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Posted by Justin Erenkrantz <je...@ebuilt.com>.
On Fri, Sep 14, 2001 at 11:59:29AM -0700, Ryan Bloom wrote:
> On Friday 14 September 2001 11:40 am, Justin Erenkrantz wrote:
> > On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> > > If anything, this is a really minor security hole. If an attacker can
> > > get into your system merely by knowing the internal names/IPs or your
> > > servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> > > or set up a virtual-host to accept the name that brought the requests
> > > to the firewall (really, it's just a proxy) in the first place (if you
> > > don't care about <HTTP/1.1 requests, which is how it works in practice).
> >
> > No, this is a functional error because the browser will use the location
> > field to get the next request (which is not resolvable from the outside
> > in most cases with a firewall). Oops.
>
> This is not a functional error, it is a config error. The origin server can
> NOT know what the proxy's server name is, unless it is in the config file.
> If the config is fixed, the problem will go away.
As far as the browser is concerned, it is a functional error.
On our side, it is a configuration error.
You guys were saying that it was a security flaw - it is more than
that because the web browser can't request the correct page. -- justin
Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Posted by Ryan Bloom <rb...@covalent.net>.
On Friday 14 September 2001 11:40 am, Justin Erenkrantz wrote:
> On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> > If anything, this is a really minor security hole. If an attacker can
> > get into your system merely by knowing the internal names/IPs or your
> > servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> > or set up a virtual-host to accept the name that brought the requests
> > to the firewall (really, it's just a proxy) in the first place (if you
> > don't care about <HTTP/1.1 requests, which is how it works in practice).
>
> No, this is a functional error because the browser will use the location
> field to get the next request (which is not resolvable from the outside
> in most cases with a firewall). Oops.
This is not a functional error, it is a config error. The origin server can
NOT know what the proxy's server name is, unless it is in the config file.
If the config is fixed, the problem will go away.
Ryan
______________________________________________________________
Ryan Bloom rbb@apache.org
Covalent Technologies rbb@covalent.net
--------------------------------------------------------------
Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Posted by Justin Erenkrantz <je...@ebuilt.com>.
On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> If anything, this is a really minor security hole. If an attacker can
> get into your system merely by knowing the internal names/IPs or your
> servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> or set up a virtual-host to accept the name that brought the requests
> to the firewall (really, it's just a proxy) in the first place (if you
> don't care about <HTTP/1.1 requests, which is how it works in practice).
No, this is a functional error because the browser will use the location
field to get the next request (which is not resolvable from the outside
in most cases with a firewall). Oops.
> p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?
Yes, the server should respond the highest HTTP version it supports.
-- justin
Re: 301 Redirect through a firewall... Possible to hide the origin
server ip address?
Posted by Dirk-Willem van Gulik <di...@covalent.net>.
On Fri, 14 Sep 2001, Sander Temme wrote:
> on 9/14/01 11:26 AM, Aaron Bannert at aaron@clove.org wrote:
>
> > p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?
Yes - normally but see below. The '1.1' reply signals that the server
would be able to talk 1.1(*) if requested. It does not say that the reply
is a 1.1 reply. This unlike the request where the 1.x says what the
request 'is' (and thus what the max reply can be).
*: or at least is conditionally compliant.
The reason why the server does not need to directly state the protocol
level of the reply - and thus can use the version for telling what it
could do at a maximum; is that the client 'knows' that it has done a 1.0
request; as does the server - so both parties know that the reply is to be
a 1.0 reply or LOWER.
Thus there is no need to tell the client the version of the reply as any
higher version is backwards compatible with lower ones - or at least
awware of it so it can give a 50x - thus the server tells the client the
highest of what it could do. If this is lower than the request then it is
usefull info for the client. If it is higher than the client may want to
use it for an upgrade. But note that even though the reply has a higher
version number; the server MUST still reqwrite any headers down to the
clients version.
Now that is the 'easy' case. There are a few cases from rfc2145 which are
more complex; and since rfc2068 was published you have a non backwards
compatibilty situations in proxies. Then the upgrade path is:
proxy MUST or MAY
caching proxy MYUST
gateway(**) MAY
tunnel MUST not
for a version change on either side of the middle box. (**) Of course a
gateway could be black - and do 'anything'. Compare 2068 and 2616 to for
the delta.
Dw
> If not, we're in trouble...
>
> [bistromath:sctemme] sctemme$telnet eddie-s.workbench.covalent.net 80
> Trying 10.0.43.34...
> Connected to eddie-s.workbench.covalent.net.
> Escape character is '^]'.
> GET / HTTP/1.0
>
> HTTP/1.1 200 OK
> Date: Fri, 14 Sep 2001 18:35:01 GMT
> Server: Apache/2.0.26-dev (Unix)
> Content-Length: 575
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
> (...)
>
> S.
>
>
Re: 301 Redirect through a firewall... Possible to hide the
origin server ip address?
Posted by Sander Temme <sc...@covalent.net>.
on 9/14/01 11:26 AM, Aaron Bannert at aaron@clove.org wrote:
> p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?
If not, we're in trouble...
[bistromath:sctemme] sctemme$telnet eddie-s.workbench.covalent.net 80
Trying 10.0.43.34...
Connected to eddie-s.workbench.covalent.net.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 14 Sep 2001 18:35:01 GMT
Server: Apache/2.0.26-dev (Unix)
Content-Length: 575
Connection: close
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
(...)
S.
--
Covalent Technologies sctemme@covalent.net
Engineering group Voice: (415) 536 5214
645 Howard St. Fax: (415) 536 5210
San Francisco CA 94105
PGP Fingerprint: 1E74 4E58 DFAC 2CF5 6A03 5531 AFB1 96AF B584 0AB1
=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================
Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Posted by Aaron Bannert <aa...@clove.org>.
On Fri, Sep 14, 2001 at 02:02:45PM -0400, Bill Stoddard wrote:
> Browser hits an Apache server through a firewall with a request like this:
>
> GET /manual HTTP/1.0
>
> manual is a directory which results in the server issuing a redirect thusly
>
> HTTP/1.1 301 Moved Permanently
> Date: Fri, 14 Sep 2001 17:37:22 GMT
> Server: Apache/1.3.20 (Unix)
> Location: http://origin_server/manual/
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> The origin server sits behind a firewall. The problem is that the Location header field
> contains the origin server name, not the name of the firewall, which is a bit of a
> security exposure.
>
> I really have no good ideas on how to prevent the location header field from having the
> origin_server name/address. Thoughts?
If anything, this is a really minor security hole. If an attacker can
get into your system merely by knowing the internal names/IPs or your
servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
or set up a virtual-host to accept the name that brought the requests
to the firewall (really, it's just a proxy) in the first place (if you
don't care about <HTTP/1.1 requests, which is how it works in practice).
p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?
-aaron
Re: 301 Redirect through a firewall... Possible to hide the origin
server ip address?
Posted by Ian Holsman <ia...@cnet.com>.
you "could" proxy the requests through another machine
you "could" change the server name of "origin_server" to be the name of
the 'outside' machine
..ian
On Fri, 2001-09-14 at 11:02, Bill Stoddard wrote:
> Browser hits an Apache server through a firewall with a request like this:
>
> GET /manual HTTP/1.0
>
> manual is a directory which results in the server issuing a redirect thusly
>
> HTTP/1.1 301 Moved Permanently
> Date: Fri, 14 Sep 2001 17:37:22 GMT
> Server: Apache/1.3.20 (Unix)
> Location: http://origin_server/manual/
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> The origin server sits behind a firewall. The problem is that the Location header field
> contains the origin server name, not the name of the firewall, which is a bit of a
> security exposure.
>
> I really have no good ideas on how to prevent the location header field from having the
> origin_server name/address. Thoughts?
>
> Bill
--
Ian Holsman IanH@cnet.com
Performance Measurement & Analysis
CNET Networks - (415) 364-8608
Re: 301 Redirect through a firewall... Possible to hide the origin
server ip address?
Posted by Sander van Zoest <sa...@vanZoest.com>.
On Fri, 14 Sep 2001, Bill Stoddard wrote:
> Browser hits an Apache server through a firewall with a request like this:
>
> GET /manual HTTP/1.0
>
> manual is a directory which results in the server issuing a redirect thusly
>
> HTTP/1.1 301 Moved Permanently
> Date: Fri, 14 Sep 2001 17:37:22 GMT
> Server: Apache/1.3.20 (Unix)
> Location: http://origin_server/manual/
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> The origin server sits behind a firewall. The problem is that the Location
> header field contains the origin server name, not the name of the firewall,
> which is a bit of a security exposure.
>
> I really have no good ideas on how to prevent the location header field from
> having the origin_server name/address. Thoughts?
Did you use the ProxyPassReverse directive as described on
<http://httpd.apache.org/docs/mod/mod_proxy.html>
If I understand your problem correctly, having the above directive added
to your firewall (httpd/wmod_proxy?) httpd config, should fix the issue.
I do not think it makes sense to add a "fix" on the origin server, since
it is something that the firewall should handle.
Cheers,
--
Sander van Zoest sander@vanzoest.com
High Geek http://Sander.vanZoest.com/