Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

Sat, 19 Aug 2023 14:09:53 -0700 


19 Aug 2023 19:46:56 Bhavesh Mistry <mistry.p.bhav...@gmail.com>:


Hi, Tomcat Dev team and Users,



I am trying to block the request and give 404 bad requests or 403 when 
the
HOST header does not match the requested server name.  My goal is to 
block

whenever there is a mismatch in the host header and URL server name.

I would appreciate your help.



Look at the request. Despite the curl command using an IP address, the 
actual request does not contain a host in the request line hence there is 
no mismatch.


Mark





curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true"; -H 
'*Host:

text.com <http://text.com>*'
* Using Stream ID: 1 (easy handle 0x7f8316012800)

GET /login?sessionExpire=true HTTP/2

*> Host: text.com <http://text.com>*

User-Agent: curl/8.1.2
Accept: */*


Response:

* HTTP/2 200 *
< cache-control: no-cache, no-store, must-revalidate
< expect-ct: enforce, max-age=30, report-uri='
https://report-uri.com/account/'
< pragma: no-cache
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie:

JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
SameSite=strict

< strict-transport-security: max-age=31536000 ; includeSubDomains ; 
preload

< x-xss-protection: 1; mode=block
< x-frame-options: DENY
< x-content-type-options: nosniff
< referrer-policy: strict-origin-when-cross-origin
< content-type: text/html;charset=UTF-8
< content-length: 4084
< date: Sat, 19 Aug 2023 19:02:11 GMT

Here is my connector config:

    <Connector port="${tomcat.port}" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" scheme="https" secure="true"
server="Versa Director"
               address="${tomcat.address}"  maxPostSize="-1"
*allowHostHeaderMismatch="false"* />


    <Connector port="${tomcat.secure.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
               relaxedPathChars="[\\]^`{|}"
relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
*
               address="${tomcat.address}" minSpareThreads="100"
maxThreads="200" SSLEnabled="true"
               scheme="https" secure="true" maxSwallowSize="-1"
maxPostSize="-1">

Thanks,

Bhavesh


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to