19 Aug 2023 19:46:56 Bhavesh Mistry <mistry.p.bhav...@gmail.com>:
Hi, Tomcat Dev team and Users,
I am trying to block the request and give 404 bad requests or 403 when
the
HOST header does not match the requested server name. My goal is to
block
whenever there is a mismatch in the host header and URL server name.
I would appreciate your help.
Look at the request. Despite the curl command using an IP address, the
actual request does not contain a host in the request line hence there is
no mismatch.
Mark
curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true" -H
'*Host:
text.com <http://text.com>*'
* Using Stream ID: 1 (easy handle 0x7f8316012800)
GET /login?sessionExpire=true HTTP/2
*> Host: text.com <http://text.com>*
User-Agent: curl/8.1.2
Accept: */*
Response:
* HTTP/2 200 *
< cache-control: no-cache, no-store, must-revalidate
< expect-ct: enforce, max-age=30, report-uri='
https://report-uri.com/account/'
< pragma: no-cache
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< set-cookie:
JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly;
SameSite=strict
< strict-transport-security: max-age=31536000 ; includeSubDomains ;
preload
< x-xss-protection: 1; mode=block
< x-frame-options: DENY
< x-content-type-options: nosniff
< referrer-policy: strict-origin-when-cross-origin
< content-type: text/html;charset=UTF-8
< content-length: 4084
< date: Sat, 19 Aug 2023 19:02:11 GMT
Here is my connector config:
<Connector port="${tomcat.port}" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" scheme="https" secure="true"
server="Versa Director"
address="${tomcat.address}" maxPostSize="-1"
*allowHostHeaderMismatch="false"* />
<Connector port="${tomcat.secure.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
relaxedPathChars="[\\]^`{|}"
relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false"
*
address="${tomcat.address}" minSpareThreads="100"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" maxSwallowSize="-1"
maxPostSize="-1">
Thanks,
Bhavesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org