Hello,
> -----Ursprüngliche Nachricht-----
> Von: Bhavesh Mistry <mistry.p.bhav...@gmail.com>
> Gesendet: Sonntag, 20. August 2023 04:09
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: Tomcat 9 Connector config allowHostHeaderMismatch not
> working as expected
>
> Hi Mark,
>
> Thanks for your quick reply. According to the spec, the Request line
> three line: http method path and version. Basically, what I wanted to do to
> is
> if the HOST header does not match the requested server name in the URL
> then return 404 04 403.
>
> Can you please help me how I can do this? From raw request, there is NO
> way to know what the user requested URL is and the HOST name as tomcat
> reconstructed that from the HOST header.
>
> When using the following:
>
> curl -vvvv -k "https://10.40.43.26/login?sessionExpire=true"; -H 'Host:
> attacker.com'
The IP-Address will never be sent to the server. This is only used on TCP-Level
to send the packet to the target.
The host-name is only transmitted via the HTTP-Header (-H Host:xxx).
Even if you use a domain name instead of an IP-address, this name will only be
used to lookup the IP-address via DNS.
The TCP packet is then sent to the resolved IP-address.
>
> request.getServerName() = attacker.com
>
> request.getHeader("Host") = attacker.com
>
> request.getURL() : https://attacker.com/login?sessionExpire=true
>
> There is no way for the server to know that the HOST header does not match
> the URL hostname name. So the only way to stop this is to have a pre-
> determined list of hostnames and check against it. Do you have any
> recommendations how to detect host header mismatch from application
> logic ?
>
> Only thing I found is this to have list trusted host and compare host header
> against it:
> https://github.com/spring-projects/spring-
> security/blob/main/web/src/main/java/org/springframework/security/web/
> firewall/StrictHttpFirewall.java#L549
>
>
>
>
>
>
>
> On Sat, Aug 19, 2023 at 2:10 PM Mark Thomas <ma...@apache.org> wrote:
>
> >
> > 19 Aug 2023 19:46:56 Bhavesh Mistry <mistry.p.bhav...@gmail.com>:
> >
> > > Hi, Tomcat Dev team and Users,
> > >
> > >
> > > I am trying to block the request and give 404 bad requests or 403
> > > when the HOST header does not match the requested server name. My
> > > goal is to block whenever there is a mismatch in the host header and
> > > URL server name.
> > >
> > > I would appreciate your help.
> >
> > Look at the request. Despite the curl command using an IP address, the
> > actual request does not contain a host in the request line hence there
> > is no mismatch.
> >
> > Mark
> >
> >
> > >
> > > curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true"; -H
> > > '*Host:
> > > text.com <http://text.com>*'
> > > * Using Stream ID: 1 (easy handle 0x7f8316012800)
> > >> GET /login?sessionExpire=true HTTP/2
> > > *> Host: text.com <http://text.com>*
> > >> User-Agent: curl/8.1.2
> > >> Accept: */*
> > >
> > > Response:
> > >
> > > * HTTP/2 200 *
> > > < cache-control: no-cache, no-store, must-revalidate < expect-ct:
> > > enforce, max-age=30, report-uri='
> > > https://report-uri.com/account/'
> > > < pragma: no-cache
> > > < expires: Thu, 01 Jan 1970 00:00:00 GMT < set-cookie:
> > >
> > >
> >
> JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;S
> ecu
> > re;HttpOnly;
> > > SameSite=strict
> > > < strict-transport-security: max-age=31536000 ; includeSubDomains ;
> > > preload < x-xss-protection: 1; mode=block < x-frame-options: DENY <
> > > x-content-type-options: nosniff < referrer-policy:
> > > strict-origin-when-cross-origin < content-type:
> > > text/html;charset=UTF-8 < content-length: 4084 < date: Sat, 19 Aug
> > > 2023 19:02:11 GMT
> > >
> > > Here is my connector config:
> > >
> > > <Connector port="${tomcat.port}" protocol="HTTP/1.1"
> > > connectionTimeout="20000"
> > > redirectPort="443" scheme="https" secure="true"
> > > server="Versa Director"
> > > address="${tomcat.address}" maxPostSize="-1"
> > > *allowHostHeaderMismatch="false"* />
> > >
> > >
> > > <Connector port="${tomcat.secure.port}"
> > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > relaxedPathChars="[\\]^`{|}"
> > > relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
> > > *
> > > address="${tomcat.address}" minSpareThreads="100"
> > > maxThreads="200" SSLEnabled="true"
> > > scheme="https" secure="true" maxSwallowSize="-1"
> > > maxPostSize="-1">
> > >
> > > Thanks,
> > >
> > > Bhavesh
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
