httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject Re: arrrrgh!
Date Mon, 05 Aug 1996 09:03:32 GMT
> Let me explain the problem, precisely. Maybe you can tell us what do
> then:
> 
> Apache currently looks at the Host: header, at the hostname and the
> port number. It assumes port 80 if there is no port number. It then
> checks to see if that port number is the same port number as the
> incoming connection. If not, it ignores the Host: header.

Why does it look at the port number? The only thing Apache cares about
right now is the host.  Even if the port number is wrong, the host is
still the determining factor and shouldn't be ignored.

> The problem is this: Let's say I have a server, running on port
> 8080. Let's call it www.one.com. Now, lets say I set up a Host: header
> based server, on the same IP address and port, called www.two.com. Now
> let's say someone uses MSIE 3.0b2 to access
> http://www.two.com:8080/. MSIE sends "Host: www.two.com", Apache
> interprets that as port "80", ignores the port number, and serves up
> the content of www.one.com.

That would clearly violate the requirements regarding how Host affects
the requested resource -- Apache just served www.one.com resources on a
request to www.two.com.  The port number is totally irrelevant in this case.

> Is that wrong? The spec seems *very* clear on that part.

You are confusing two issues -- how to determine the requested resource
and how to implement port switching.  We don't implement port switching,
so why are we looking at the port?  HTTP/1.1 requirements on determining
the requested resource apply only to the "host" part of either the full-URI
or the Host header field, and "host" does not include "port" (see BNF).
As an implementation decision, we could decide to check the port as well,
but that is not required for HTTP/1.1 and won't work with existing HTTP/1.0
clients.

Even if we did implement port switching [which is only a security hole
under some cases, not all cases, and is a reasonable config option
provided that the default is off], the host takes precedence over any port.
If www.two.com is not one of the valid hostnames for the server monitoring
the actual port on which the request was received, then that Host is considered
invalid and no port switch is made.  Note: in HTTP parlance, "server" means
the functional entity listening to that port on that host -- a single
application (like Apache) listening to multiple ports is considered
to be multiple servers with separate resource spaces.

The reason why the Host header includes a port is so that a gateway can
tunnel multiple ports through a single port *on purpose*, usually to make
previously secure resources located behind a firewall available to the
outside world without changing their location.  All of the port
switching is limited to a single hostname (and a specific set of ports
on that hostname), so it is never the case that a port switch will result
in a different hostname's resource being served.

.....Roy

Mime
View raw message