httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Date Fri, 14 Sep 2001 18:26:37 GMT
On Fri, Sep 14, 2001 at 02:02:45PM -0400, Bill Stoddard wrote:
> Browser hits an Apache server through a firewall with a request like this:
> 
> GET /manual HTTP/1.0
> 
> manual is a directory which results in the server issuing a redirect thusly
> 
> HTTP/1.1 301 Moved Permanently
> Date: Fri, 14 Sep 2001 17:37:22 GMT
> Server: Apache/1.3.20 (Unix)
> Location: http://origin_server/manual/
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> 
> The origin server sits behind a firewall. The problem is that the Location header field
> contains the origin server name, not the name of the firewall, which is a bit of a
> security exposure.
> 
> I really have no good ideas on how to prevent the location header field from having the
> origin_server name/address. Thoughts?

If anything, this is a really minor security hole. If an attacker can
get into your system merely by knowing the internal names/IPs or your
servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
or set up a virtual-host to accept the name that brought the requests
to the firewall (really, it's just a proxy) in the first place (if you
don't care about <HTTP/1.1 requests, which is how it works in practice).

p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?

-aaron

Mime
View raw message