On 02/05/2013 05:34 PM, bentscrewdriver wrote: > [ Sorry - previous message posted with wrong subject] > > We had a pen test performed on our external facing hosts and the Djigzo >> appliance (2.4.0.3) had a finding where the internal IP address was >> disclosed by performing a HTTP 1.0 GET request (redirect response link >> show's IP rather than hostname). Do you have any guidance on how to set the >> response to return the hostname?
FYI, The internal IP address is added by Tomcat. With HTTP 1.1, the browser sends the hostname with the request. HTTP 1.0 however works differently since HTTP 1.0 has no notion of hostname. See for example this link for some background info: https://issues.jboss.org/browse/JBAS-5507?page=all The best way to solve this is by setting the proxyName attribute on the HTTP connector (in /etc/tomcat6/server.xml): <Service name="Catalina"> <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="http" proxyName="example.com" <!--- proxyName /> The proxyName should be equal to the name of the external IP address (or the external IP address if there is no A record for the external IP address) Also make sure that the proxyName is set on the HTTPS connector I will see whether I can make this a user configurable option from the commandline interface. Kind regards, Martijn Brinkers -- DJIGZO email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
