Hi Mark, Thanks for your quick reply. According to the spec, the Request line three line: http method path and version. Basically, what I wanted to do to is if the HOST header does not match the requested server name in the URL then return 404 04 403.
Can you please help me how I can do this? From raw request, there is NO way to know what the user requested URL is and the HOST name as tomcat reconstructed that from the HOST header. When using the following: curl -vvvv -k "https://10.40.43.26/login?sessionExpire=true"; -H 'Host: attacker.com' request.getServerName() = attacker.com request.getHeader("Host") = attacker.com request.getURL() : https://attacker.com/login?sessionExpire=true There is no way for the server to know that the HOST header does not match the URL hostname name. So the only way to stop this is to have a pre-determined list of hostnames and check against it. Do you have any recommendations how to detect host header mismatch from application logic ? Only thing I found is this to have list trusted host and compare host header against it: https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java#L549 On Sat, Aug 19, 2023 at 2:10 PM Mark Thomas <ma...@apache.org> wrote: > > 19 Aug 2023 19:46:56 Bhavesh Mistry <mistry.p.bhav...@gmail.com>: > > > Hi, Tomcat Dev team and Users, > > > > > > I am trying to block the request and give 404 bad requests or 403 when > > the > > HOST header does not match the requested server name. My goal is to > > block > > whenever there is a mismatch in the host header and URL server name. > > > > I would appreciate your help. > > Look at the request. Despite the curl command using an IP address, the > actual request does not contain a host in the request line hence there is > no mismatch. > > Mark > > > > > > curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true"; -H > > '*Host: > > text.com <http://text.com>*' > > * Using Stream ID: 1 (easy handle 0x7f8316012800) > >> GET /login?sessionExpire=true HTTP/2 > > *> Host: text.com <http://text.com>* > >> User-Agent: curl/8.1.2 > >> Accept: */* > > > > Response: > > > > * HTTP/2 200 * > > < cache-control: no-cache, no-store, must-revalidate > > < expect-ct: enforce, max-age=30, report-uri=' > > https://report-uri.com/account/' > > < pragma: no-cache > > < expires: Thu, 01 Jan 1970 00:00:00 GMT > > < set-cookie: > > > > > JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly; > > SameSite=strict > > < strict-transport-security: max-age=31536000 ; includeSubDomains ; > > preload > > < x-xss-protection: 1; mode=block > > < x-frame-options: DENY > > < x-content-type-options: nosniff > > < referrer-policy: strict-origin-when-cross-origin > > < content-type: text/html;charset=UTF-8 > > < content-length: 4084 > > < date: Sat, 19 Aug 2023 19:02:11 GMT > > > > Here is my connector config: > > > > <Connector port="${tomcat.port}" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="443" scheme="https" secure="true" > > server="Versa Director" > > address="${tomcat.address}" maxPostSize="-1" > > *allowHostHeaderMismatch="false"* /> > > > > > > <Connector port="${tomcat.secure.port}" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > relaxedPathChars="[\\]^`{|}" > > relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false" > > * > > address="${tomcat.address}" minSpareThreads="100" > > maxThreads="200" SSLEnabled="true" > > scheme="https" secure="true" maxSwallowSize="-1" > > maxPostSize="-1"> > > > > Thanks, > > > > Bhavesh > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
