You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bhavesh Mistry <mi...@gmail.com> on 2023/08/19 18:46:56 UTC
Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Hi, Tomcat Dev team and Users,
I am trying to block the request and give 404 bad requests or 403 when the
HOST header does not match the requested server name. My goal is to block
whenever there is a mismatch in the host header and URL server name.
I would appreciate your help.
curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true" -H '*Host:
text.com <http://text.com>*'
* Using Stream ID: 1 (easy handle 0x7f8316012800)
> GET /login?sessionExpire=true HTTP/2
*> Host: text.com <http://text.com>*
> User-Agent: curl/8.1.2
> Accept: */*
Response:
* HTTP/2 200 *
< cache-control: no-cache, no-store, must-revalidate
< expect-ct: enforce, max-age=30, report-uri='
https://report-uri.com/account/'
< pragma: no-cache
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie:
JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
SameSite=strict
< strict-transport-security: max-age=31536000 ; includeSubDomains ; preload
< x-xss-protection: 1; mode=block
< x-frame-options: DENY
< x-content-type-options: nosniff
< referrer-policy: strict-origin-when-cross-origin
< content-type: text/html;charset=UTF-8
< content-length: 4084
< date: Sat, 19 Aug 2023 19:02:11 GMT
Here is my connector config:
<Connector port="${tomcat.port}" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" scheme="https" secure="true"
server="Versa Director"
address="${tomcat.address}" maxPostSize="-1"
*allowHostHeaderMismatch="false"* />
<Connector port="${tomcat.secure.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
relaxedPathChars="[\\]^`{|}"
relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
*
address="${tomcat.address}" minSpareThreads="100"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" maxSwallowSize="-1"
maxPostSize="-1">
Thanks,
Bhavesh
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Bhavesh Mistry <mi...@gmail.com>.
Hi Mark,
Thanks for your help. We will go with validation against a known trusted
list host as you suggested. Also, I have updated
https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 with reference to the
discussion.
As always, thanks for your wonderful support!
Thanks,
Bhavesh
On Tue, Aug 29, 2023 at 2:07 PM Mark Thomas <ma...@apache.org> wrote:
> On 29/08/2023 21:51, Bhavesh Mistry wrote:
> > Hi Mark,
> >
> >> curl -vvvv -k "https://www.mydomain.com/login" -H 'Host:
> >> attackerHostHeaderInjection.com'
> >
> > *Why? What problem are you trying to solve?*
> >
> > Host Header injection is a vulnerability that needs to be addressed., I
> am
> > trying to solve if the host is a mismatch between the HOST ( or
> Authority)
> > header because links are generated based on the host headers.
> >
> > For now only way to prevent it is to have a set of allowed hosts and
> check
> > against this list.
>
> I'd argue that links shouldn't be being generated based on the Host
> header. You should be able to use relative links. That said...
>
> Given the wide variety of deployment architectures (CDN, reverse procy
> etc) if you do need to use the Host header, validation against a known
> trusted list is probably the most robust option. TLS information may not
> always be available.
>
> > Should I update the bug to provide SNI information for the request or
> > should I file another request ?
> > See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
>
> I'd say add it to that issue as the two are closely related.
>
> > 3) I tried following but again curl -vvvv shows it never sent
> > www.mydomain.com <https://www.mydomain.com/login> since it only used to
> > reach the IP. (This is what Thomas Hoffmann mentioned).
> >
> https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack
> >
> > Thanks for your help so far.
>
> There is another option.
>
> The Host header is used for virtual host selection. If you create a
> valid virtual host for each valid host name (you can have aliases so
> they could all go to the same host) then the default virtual host could
> just have a ROOT webapp that returned you 4xx response of choice.
>
> It is just a different way of implementing an allow list for the Host
> header. The advantage is that it is transparent to the application(s).
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Mark Thomas <ma...@apache.org>.
On 29/08/2023 21:51, Bhavesh Mistry wrote:
> Hi Mark,
>
>> curl -vvvv -k "https://www.mydomain.com/login" -H 'Host:
>> attackerHostHeaderInjection.com'
>
> *Why? What problem are you trying to solve?*
>
> Host Header injection is a vulnerability that needs to be addressed., I am
> trying to solve if the host is a mismatch between the HOST ( or Authority)
> header because links are generated based on the host headers.
>
> For now only way to prevent it is to have a set of allowed hosts and check
> against this list.
I'd argue that links shouldn't be being generated based on the Host
header. You should be able to use relative links. That said...
Given the wide variety of deployment architectures (CDN, reverse procy
etc) if you do need to use the Host header, validation against a known
trusted list is probably the most robust option. TLS information may not
always be available.
> Should I update the bug to provide SNI information for the request or
> should I file another request ?
> See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
I'd say add it to that issue as the two are closely related.
> 3) I tried following but again curl -vvvv shows it never sent
> www.mydomain.com <https://www.mydomain.com/login> since it only used to
> reach the IP. (This is what Thomas Hoffmann mentioned).
> https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack
>
> Thanks for your help so far.
There is another option.
The Host header is used for virtual host selection. If you create a
valid virtual host for each valid host name (you can have aliases so
they could all go to the same host) then the default virtual host could
just have a ROOT webapp that returned you 4xx response of choice.
It is just a different way of implementing an allow list for the Host
header. The advantage is that it is transparent to the application(s).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Bhavesh Mistry <mi...@gmail.com>.
Hi Mark,
> curl -vvvv -k "https://www.mydomain.com/login" -H 'Host:
> attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?*
Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host is a mismatch between the HOST ( or Authority)
header because links are generated based on the host headers.
For now only way to prevent it is to have a set of allowed hosts and check
against this list.
Should I update the bug to provide SNI information for the request or
should I file another request ?
See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
3) I tried following but again curl -vvvv shows it never sent
www.mydomain.com <https://www.mydomain.com/login> since it only used to
reach the IP. (This is what Thomas Hoffmann mentioned).
https://serverfault.com/questions/850955/tomcat-virtual-host-to-prevent-improper-input-handling-attack
Thanks for your help so far.
Thanks,
Bhavesh
On Tue, Aug 29, 2023 at 1:16 PM Mark Thomas <ma...@apache.org> wrote:
> On 29/08/2023 08:00, Bhavesh Mistry wrote:
> > Hi Mark,
> >
> > I am sorry for delayed response.
> >
> > Basically, when request url does not match host header then I would
> reject
> > it. For example,
> >
> > curl -vvvv -k "https://www.mydomain.com/login" -H 'Host:
> > attackerHostHeaderInjection.com'
>
> Why? What problem are you trying to solve?
>
>
> > Based curl -vvv output, tomcat server does not know host name used
> > www.mydomain.com but Host header is attackerHostHeaderInjection.com.
> >
> > In this case I would like to reject request send 403 or 404. As you
> > explained that request Line does not have Full URL,
> allowHostHeaderMismatch
> > will not reject.
> >
> > So my idea is using SNI I could get hostname and compare with HOST header
> > or :authority and reject it.
> >
> > Is it possible to request new feature on Tomcat to get or expose SNI name
> > used by client?
>
> That is certainly possible. How likely it is to get implemented depends
> on the justification.
>
> See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Mark Thomas <ma...@apache.org>.
On 29/08/2023 08:00, Bhavesh Mistry wrote:
> Hi Mark,
>
> I am sorry for delayed response.
>
> Basically, when request url does not match host header then I would reject
> it. For example,
>
> curl -vvvv -k "https://www.mydomain.com/login" -H 'Host:
> attackerHostHeaderInjection.com'
Why? What problem are you trying to solve?
> Based curl -vvv output, tomcat server does not know host name used
> www.mydomain.com but Host header is attackerHostHeaderInjection.com.
>
> In this case I would like to reject request send 403 or 404. As you
> explained that request Line does not have Full URL, allowHostHeaderMismatch
> will not reject.
>
> So my idea is using SNI I could get hostname and compare with HOST header
> or :authority and reject it.
>
> Is it possible to request new feature on Tomcat to get or expose SNI name
> used by client?
That is certainly possible. How likely it is to get implemented depends
on the justification.
See also https://bz.apache.org/bugzilla/show_bug.cgi?id=64353
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Bhavesh Mistry <mi...@gmail.com>.
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl -vvvv -k "https://www.mydomain.com/login" -H 'Host:
attackerHostHeaderInjection.com'
Based curl -vvv output, tomcat server does not know host name used
www.mydomain.com but Host header is attackerHostHeaderInjection.com.
In this case I would like to reject request send 403 or 404. As you
explained that request Line does not have Full URL, allowHostHeaderMismatch
will not reject.
So my idea is using SNI I could get hostname and compare with HOST header
or :authority and reject it.
Is it possible to request new feature on Tomcat to get or expose SNI name
used by client?
Thanks,
Bhavesh
On Tue, Aug 22, 2023, 3:03 PM Mark Thomas <ma...@apache.org> wrote:
> Tomcat doesn't expose the SNI information.
>
> What problem are you trying to solve here?
>
> Tomcat rejects requests with mis-matched host headers by default and can
> be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't
> need to write any extra code for this.
>
> Mark
>
>
> On 21/08/2023 12:59, Bhavesh Mistry wrote:
> >>
> >>
> >> Hi Mark and Thomas,
> >>
> >>
> >>
> >> I understood now that Tomcat does not have information other than HOST
> >> (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what
> URL
> >> used to connect and headers.
> >>
> >>
> >>
> >> I was wondering if TLS Handshake can provide *SNI can be used for this
> >> purpose**. *
> >>
> >> *Server Name Indication (SNI) is an extension of the TLS protocol. The
> >> client specifies which hostname they want to connect to using the SNI
> >> extension in the TLS handshake. *
> >>
> >>
> >>
> >> *SNI will be the hostname that the browser used to negotiate TLS. so my
> >> idea is to check SNI vs (host or *:authority: ) header and if there is
> a
> >> mismatch between host/authority vs. SNI. I can reject requests and
> throw
> >> 404 status.
> >>
> >>
> >>
> >> Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
> >> What hostname was negotiated with TLS? Do you think the idea of
> checking
> >> against SNI and *host or *:authority: headers?
> >>
> >>
> >>
> >> As always, your opinion and suggestion are always appreciated.
> >>
> >>
> >>
> >> Thanks,
> >>
> >>
> >>
> >> Bhavesh
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Mark Thomas <ma...@apache.org>.
Tomcat doesn't expose the SNI information.
What problem are you trying to solve here?
Tomcat rejects requests with mis-matched host headers by default and can
be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't
need to write any extra code for this.
Mark
On 21/08/2023 12:59, Bhavesh Mistry wrote:
>>
>>
>> Hi Mark and Thomas,
>>
>>
>>
>> I understood now that Tomcat does not have information other than HOST
>> (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what URL
>> used to connect and headers.
>>
>>
>>
>> I was wondering if TLS Handshake can provide *SNI can be used for this
>> purpose**. *
>>
>> *Server Name Indication (SNI) is an extension of the TLS protocol. The
>> client specifies which hostname they want to connect to using the SNI
>> extension in the TLS handshake. *
>>
>>
>>
>> *SNI will be the hostname that the browser used to negotiate TLS. so my
>> idea is to check SNI vs (host or *:authority: ) header and if there is a
>> mismatch between host/authority vs. SNI. I can reject requests and throw
>> 404 status.
>>
>>
>>
>> Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
>> What hostname was negotiated with TLS? Do you think the idea of checking
>> against SNI and *host or *:authority: headers?
>>
>>
>>
>> As always, your opinion and suggestion are always appreciated.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bhavesh
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Bhavesh Mistry <mi...@gmail.com>.
>
>
> Hi Mark and Thomas,
>
>
>
> I understood now that Tomcat does not have information other than HOST
> (HTTP 1.1) and :authority: (HTTP2). So there is no way to check what URL
> used to connect and headers.
>
>
>
> I was wondering if TLS Handshake can provide *SNI can be used for this
> purpose**. *
>
> *Server Name Indication (SNI) is an extension of the TLS protocol. The
> client specifies which hostname they want to connect to using the SNI
> extension in the TLS handshake. *
>
>
>
> *SNI will be the hostname that the browser used to negotiate TLS. so my
> idea is to check SNI vs (host or *:authority: ) header and if there is a
> mismatch between host/authority vs. SNI. I can reject requests and throw
> 404 status.
>
>
>
> Do you know how I can *obtain SNI* from the tomcat HttpRequest object?
> What hostname was negotiated with TLS? Do you think the idea of checking
> against SNI and *host or *:authority: headers?
>
>
>
> As always, your opinion and suggestion are always appreciated.
>
>
>
> Thanks,
>
>
>
> Bhavesh
>
AW: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
> -----Ursprüngliche Nachricht-----
> Von: Bhavesh Mistry <mi...@gmail.com>
> Gesendet: Sonntag, 20. August 2023 04:09
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: Tomcat 9 Connector config allowHostHeaderMismatch not
> working as expected
>
> Hi Mark,
>
> Thanks for your quick reply. According to the spec, the Request line
> three line: http method path and version. Basically, what I wanted to do to is
> if the HOST header does not match the requested server name in the URL
> then return 404 04 403.
>
> Can you please help me how I can do this? From raw request, there is NO
> way to know what the user requested URL is and the HOST name as tomcat
> reconstructed that from the HOST header.
>
> When using the following:
>
> curl -vvvv -k "https://10.40.43.26/login?sessionExpire=true" -H 'Host:
> attacker.com'
The IP-Address will never be sent to the server. This is only used on TCP-Level to send the packet to the target.
The host-name is only transmitted via the HTTP-Header (-H Host:xxx).
Even if you use a domain name instead of an IP-address, this name will only be used to lookup the IP-address via DNS.
The TCP packet is then sent to the resolved IP-address.
>
> request.getServerName() = attacker.com
>
> request.getHeader("Host") = attacker.com
>
> request.getURL() : https://attacker.com/login?sessionExpire=true
>
> There is no way for the server to know that the HOST header does not match
> the URL hostname name. So the only way to stop this is to have a pre-
> determined list of hostnames and check against it. Do you have any
> recommendations how to detect host header mismatch from application
> logic ?
>
> Only thing I found is this to have list trusted host and compare host header
> against it:
> https://github.com/spring-projects/spring-
> security/blob/main/web/src/main/java/org/springframework/security/web/
> firewall/StrictHttpFirewall.java#L549
>
>
>
>
>
>
>
> On Sat, Aug 19, 2023 at 2:10 PM Mark Thomas <ma...@apache.org> wrote:
>
> >
> > 19 Aug 2023 19:46:56 Bhavesh Mistry <mi...@gmail.com>:
> >
> > > Hi, Tomcat Dev team and Users,
> > >
> > >
> > > I am trying to block the request and give 404 bad requests or 403
> > > when the HOST header does not match the requested server name. My
> > > goal is to block whenever there is a mismatch in the host header and
> > > URL server name.
> > >
> > > I would appreciate your help.
> >
> > Look at the request. Despite the curl command using an IP address, the
> > actual request does not contain a host in the request line hence there
> > is no mismatch.
> >
> > Mark
> >
> >
> > >
> > > curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true" -H
> > > '*Host:
> > > text.com <http://text.com>*'
> > > * Using Stream ID: 1 (easy handle 0x7f8316012800)
> > >> GET /login?sessionExpire=true HTTP/2
> > > *> Host: text.com <http://text.com>*
> > >> User-Agent: curl/8.1.2
> > >> Accept: */*
> > >
> > > Response:
> > >
> > > * HTTP/2 200 *
> > > < cache-control: no-cache, no-store, must-revalidate < expect-ct:
> > > enforce, max-age=30, report-uri='
> > > https://report-uri.com/account/'
> > > < pragma: no-cache
> > > < expires: Thu, 01 Jan 1970 00:00:00 GMT < set-cookie:
> > >
> > >
> >
> JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;S
> ecu
> > re;HttpOnly;
> > > SameSite=strict
> > > < strict-transport-security: max-age=31536000 ; includeSubDomains ;
> > > preload < x-xss-protection: 1; mode=block < x-frame-options: DENY <
> > > x-content-type-options: nosniff < referrer-policy:
> > > strict-origin-when-cross-origin < content-type:
> > > text/html;charset=UTF-8 < content-length: 4084 < date: Sat, 19 Aug
> > > 2023 19:02:11 GMT
> > >
> > > Here is my connector config:
> > >
> > > <Connector port="${tomcat.port}" protocol="HTTP/1.1"
> > > connectionTimeout="20000"
> > > redirectPort="443" scheme="https" secure="true"
> > > server="Versa Director"
> > > address="${tomcat.address}" maxPostSize="-1"
> > > *allowHostHeaderMismatch="false"* />
> > >
> > >
> > > <Connector port="${tomcat.secure.port}"
> > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > relaxedPathChars="[\\]^`{|}"
> > > relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
> > > *
> > > address="${tomcat.address}" minSpareThreads="100"
> > > maxThreads="200" SSLEnabled="true"
> > > scheme="https" secure="true" maxSwallowSize="-1"
> > > maxPostSize="-1">
> > >
> > > Thanks,
> > >
> > > Bhavesh
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Bhavesh Mistry <mi...@gmail.com>.
Hi Mark,
Thanks for your quick reply. According to the spec, the Request line
three line: http method path and version. Basically, what I wanted to do
to is if the HOST header does not match the requested server name in the
URL then return 404 04 403.
Can you please help me how I can do this? From raw request, there is NO
way to know what the user requested URL is and the HOST name as tomcat
reconstructed that from the HOST header.
When using the following:
curl -vvvv -k "https://10.40.43.26/login?sessionExpire=true" -H 'Host:
attacker.com'
request.getServerName() = attacker.com
request.getHeader("Host") = attacker.com
request.getURL() : https://attacker.com/login?sessionExpire=true
There is no way for the server to know that the HOST header does not match
the URL hostname name. So the only way to stop this is to have a
pre-determined list of hostnames and check against it. Do you have any
recommendations how to detect host header mismatch from application logic ?
Only thing I found is this to have list trusted host and compare host
header against it:
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java#L549
On Sat, Aug 19, 2023 at 2:10 PM Mark Thomas <ma...@apache.org> wrote:
>
> 19 Aug 2023 19:46:56 Bhavesh Mistry <mi...@gmail.com>:
>
> > Hi, Tomcat Dev team and Users,
> >
> >
> > I am trying to block the request and give 404 bad requests or 403 when
> > the
> > HOST header does not match the requested server name. My goal is to
> > block
> > whenever there is a mismatch in the host header and URL server name.
> >
> > I would appreciate your help.
>
> Look at the request. Despite the curl command using an IP address, the
> actual request does not contain a host in the request line hence there is
> no mismatch.
>
> Mark
>
>
> >
> > curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true" -H
> > '*Host:
> > text.com <http://text.com>*'
> > * Using Stream ID: 1 (easy handle 0x7f8316012800)
> >> GET /login?sessionExpire=true HTTP/2
> > *> Host: text.com <http://text.com>*
> >> User-Agent: curl/8.1.2
> >> Accept: */*
> >
> > Response:
> >
> > * HTTP/2 200 *
> > < cache-control: no-cache, no-store, must-revalidate
> > < expect-ct: enforce, max-age=30, report-uri='
> > https://report-uri.com/account/'
> > < pragma: no-cache
> > < expires: Thu, 01 Jan 1970 00:00:00 GMT
> > < set-cookie:
> >
> >
> JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
> > SameSite=strict
> > < strict-transport-security: max-age=31536000 ; includeSubDomains ;
> > preload
> > < x-xss-protection: 1; mode=block
> > < x-frame-options: DENY
> > < x-content-type-options: nosniff
> > < referrer-policy: strict-origin-when-cross-origin
> > < content-type: text/html;charset=UTF-8
> > < content-length: 4084
> > < date: Sat, 19 Aug 2023 19:02:11 GMT
> >
> > Here is my connector config:
> >
> > <Connector port="${tomcat.port}" protocol="HTTP/1.1"
> > connectionTimeout="20000"
> > redirectPort="443" scheme="https" secure="true"
> > server="Versa Director"
> > address="${tomcat.address}" maxPostSize="-1"
> > *allowHostHeaderMismatch="false"* />
> >
> >
> > <Connector port="${tomcat.secure.port}"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > relaxedPathChars="[\\]^`{|}"
> > relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
> > *
> > address="${tomcat.address}" minSpareThreads="100"
> > maxThreads="200" SSLEnabled="true"
> > scheme="https" secure="true" maxSwallowSize="-1"
> > maxPostSize="-1">
> >
> > Thanks,
> >
> > Bhavesh
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected
Posted by Mark Thomas <ma...@apache.org>.
19 Aug 2023 19:46:56 Bhavesh Mistry <mi...@gmail.com>:
> Hi, Tomcat Dev team and Users,
>
>
> I am trying to block the request and give 404 bad requests or 403 when
> the
> HOST header does not match the requested server name. My goal is to
> block
> whenever there is a mismatch in the host header and URL server name.
>
> I would appreciate your help.
Look at the request. Despite the curl command using an IP address, the
actual request does not contain a host in the request line hence there is
no mismatch.
Mark
>
> curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true" -H
> '*Host:
> text.com <http://text.com>*'
> * Using Stream ID: 1 (easy handle 0x7f8316012800)
>> GET /login?sessionExpire=true HTTP/2
> *> Host: text.com <http://text.com>*
>> User-Agent: curl/8.1.2
>> Accept: */*
>
> Response:
>
> * HTTP/2 200 *
> < cache-control: no-cache, no-store, must-revalidate
> < expect-ct: enforce, max-age=30, report-uri='
> https://report-uri.com/account/'
> < pragma: no-cache
> < expires: Thu, 01 Jan 1970 00:00:00 GMT
> < set-cookie:
>
> JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
> SameSite=strict
> < strict-transport-security: max-age=31536000 ; includeSubDomains ;
> preload
> < x-xss-protection: 1; mode=block
> < x-frame-options: DENY
> < x-content-type-options: nosniff
> < referrer-policy: strict-origin-when-cross-origin
> < content-type: text/html;charset=UTF-8
> < content-length: 4084
> < date: Sat, 19 Aug 2023 19:02:11 GMT
>
> Here is my connector config:
>
> <Connector port="${tomcat.port}" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" scheme="https" secure="true"
> server="Versa Director"
> address="${tomcat.address}" maxPostSize="-1"
> *allowHostHeaderMismatch="false"* />
>
>
> <Connector port="${tomcat.secure.port}"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> relaxedPathChars="[\\]^`{|}"
> relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
> *
> address="${tomcat.address}" minSpareThreads="100"
> maxThreads="200" SSLEnabled="true"
> scheme="https" secure="true" maxSwallowSize="-1"
> maxPostSize="-1">
>
> Thanks,
>
> Bhavesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org