Hello,
Have come across a security issue and one of the reason is Apache allowing serving of request with incorrect HOST header.
Question in short:
Is there an Apache Directive which will reject request with incorrect or missing HOST header ? I mean if my Apache is serving one.xyz.com, reject all request coming to that IP address and port using any other hostname. Meaning reject 1.xyz.com or one.abc.com or 2.xyz.com or two.xyz.com.
And second, why would Apache allow that in the first place, especially if we are not using NameBased VHosting.
----------------------------------------------------------------------------------------------------------------------------------------
Details:
Let say, I have a few IP based VHOSTs proxying content
from the backend.
<VirtualHost 111.22.33.44:80>
#No Forward Proxy
ProxyRequest Off
# server One
ServerName one.xyz.com
ProxyPass /all http://backend.com/all
ProxyPassReverse /all http://backend.com/all
...
</VirtualHost>
We have a gate-keeper which checks incoming request for one.xyz.com domain name and prompts them for Authentication.
Now, if I make a host file change on my local (client) computer such that
111.22.33.44 www.hack.com
And then if I point my browser to www.hack.com/all, I am in w/o any challenge. Apache ignores the HOST header and the gate-keeper lets it go as it is only protecting one.xyz.com.
Well, we had patched the GateKeeper for the above problem few years back, but today a similar issue has come to our notice where by a hacker can point to one of our server IP address as
a Proxy Server address in their browser. Once again Apache simply ignored the HOST header in the request and this time, it confused the gate-keeper s/w too and let the request through w/o Authentication.
I want to keep this post simple and hence skip the details, I know we have a problem with the gate-keeper s/w and will open up a case with them, but wished there was a Apache directive which would simply reject Requests with non-matching HOST.
Thank you
-j
