Project

General

Profile

Forums » Support »

Host header validation

Added by alishaj about 4 years ago

I need to perform Host header validation.
The requirement is to block access to the service when it is accessed using any FQDN.
The service is supported on IPv4, IPv6 and Dual stack.
I tried the following configuration

$HTTP["host"] != "[fde4:8dba:82e1::ff13]" {    
$HTTP["host"] != "[fe80::ca1f:eaff:fe69:2501]" {    
$HTTP["host"] != "192.168.1.3" {    
    url.access-deny = ( "" )
    }
    }
    }

The server can be accessed using any IPv6 address, i.e. DHCPv6, Link Local, SLAAC
Which increases the number of checks as well as poses the challenge of updating the configuration every time the SLAAC/DHCP address is updated.
So to make it simpler, is there any way to configure lighttpd so that I can simply check that 

$HTTP["host"] =~ "<any FQDN>" {
    url.access-deny = ( "" )
}

Is there any reliable regular expression which will help me achieve this?

Alternatively, is there any variable that I can use in conf file that would represent all the IP addresses of my system?


Replies (4)

RE: Host header validation - Added by gstrauss about 4 years ago

A more secure approach is to explicitly allow what you want to allow and to deny everything else.

$HTTP["host"] =~ /^(a.example.com|b.example.com)$/ {
    # ...
}
else {
    url.access-deny = ( "" )
}

RE: Host header validation - Added by gstrauss about 4 years ago

I do not immediately see the value in your use case of rejecting FQDN and accepting IP addresses, but here is the opposite of the above to accept things that look like IP addresses. (untested)

$HTTP["host"] !~ /^\[.*\](:\d+)$/ {
    $HTTP["host"] !~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)(:\d+)?$/ {
        url.access-deny = ( "" )
    }
}

The above will reject requests without a Host: header, but you can add that condition to the example above if you want to accept it.

RE: Host header validation - Added by alishaj about 4 years ago

I tried the following as you suggested, it blocks access using IP as well as FQDN

$HTTP["host"] !~ "/^\[.*\](:\d+)$/" {
    $HTTP["host"] !~ "/^(\d+)\.(\d+)\.(\d+)\.(\d+)(:\d+)?$/" {
        url.access-deny = ( "" )
    }
}

Maybe it needs tweaking, could you point me to any reference where I can read how to create the regex for lighttpd conf?

RE: Host header validation - Added by gstrauss about 4 years ago

Docs_Configuration

Looks like I missed a question mark in the first regex, and the logic should be to reject if it looks like IPv6 or if it looks like IPv4:

$HTTP["host"] =~ /^\[.*\](:\d+)?$/ {
    url.access-deny = ( "" )
}
$HTTP["host"] =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)(:\d+)?$/ {
    url.access-deny = ( "" )
}

    (1-4/4)