'Prevent Host header attack in jboss

my jboss web server does't have domain,only use IP to access

there is a web/common directory

when access the web server use:

curl -i -H "Host: www.google.com " "http://127.0.0.1:8080/web/common/"

it goto 404 web error page

when use:

curl -i -H "Host: www.google.com " "http://127.0.0.1:8080/web/common"

return：

HTTP/1.1 302 Moved Temporarily

Location: http://www.google.com/web/common/

Transfer-Encoding: chunked

Date: Wed, 23 May 2018 14:17:46 GMT

Server: VPS

how to config jboss to prevent Location redirect

http://127.0.0.1:8080/web/common to http://www.google.com/web/common/

http jboss

Solution 1:^[1]

Use an expression-filter in the Undertow subsystem. The resulting XML would look like this:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
    <buffer-cache name="default"/>
    <server name="default-server">
        ...
        <host name="default-host" >
            ...
            <filter-ref name="host-checker"/>
        </host>
    </server>
    <filters>
        ...
        <expression-filter name="host-checker" expression="not(equals(%{i,HOST}, %{LOCAL_IP}:%{LOCAL_PORT}) or equals(%{i,HOST}, %{LOCAL_IP})) -> response-code(403)"/>
    </filters>
</subsystem>

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Peter Csala

'Prevent Host header attack in jboss

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]