Re: [jetty-users] NAT with HTTP 1.0 returns internal IP address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] NAT with HTTP 1.0 returns internal IP address

From: "martijn.list" <martijn.list@xxxxxxxxx>
Date: Mon, 08 Apr 2013 10:47:01 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4

On 04/04/2013 09:15 AM, martijn.list wrote:

I hope you can help me with this minor problem.

If Jetty is installed on a server with a NAT'd IP address, connecting
with HTTP 1.0 returns the internal IP address. This is understandable
since HTTP 1.0 does not support the Host parameter. However it's not
clear to me how to solve this.
Some suggestions that I have found, suggest to set the "hostHeader" on
the connector but this also requires that "forwarded" is set which is
not what I want since I do not want to support forwarding, I only want
to override what's returned by "ServletRequest#getServerName()" if using
HTTP 1.0 (or if the Host attribute is missing).

Two questions:

1. Can I completely disable support for HTTP 1.0 (probably not). The
main reason for this request is that sometimes clients do not want to
"leak" the internal IP address if using NAT and for normal use.

2. Can I set a connection attribute which overrides the default
"ServletRequest#getServerName()" if using HTTP 1.0 or if the Host
parameter is not set?

Since I didn't get any answer, it might be that I have not been clearenough what the problem is I'm trying to fix.

To illustrate my point I'll provide an example of the "HTTP 1.0 showsthe internal IP address" problem.

Connect with telnet to a Jetty server on port 89 (in this example I usewww.webtide.com) issue a GET with the HTTP 1.0 protocol:


telnet www.webtide.com 80

Trying 72.32.76.94...
Connected to www.webtide.com.
Escape character is '^]'.
GET index.html HTTP/1.0

HTTP/1.1 302 Found
Location: https://192.168.100.94:443index.html
Content-Length: 0
Server: Jetty(9.0.1-SNAPSHOT)

Connection closed by foreign host.

The Location header in the HTTP response tells me to connect to aninternal IP address 192.168.100.94. There are two problems with this:

1. Since it's an internal IP address, connecting to this address willnever work from outside

2. The internal IP address is "leaked". Some companies with strictsecurity regulations do not like the internal IP addresses to be"leaked" to the outside.


With Tomcat, you can set the proxyName which is used with HTTP 1.0.

I have two questions which I hope someone can help me with:

1. Can I completely disable support for HTTP 1.0. The
main reason for this request is that sometimes clients do not want to
"leak" the internal IP address if using NAT and for normal use.

2. Can I set a connection attribute which overrides the default
"ServletRequest#getServerName()" if using HTTP 1.0 or if the Host
parameter is not set?

Kind regards,

Martijn Brinkers

Follow-Ups:
- Re: [jetty-users] NAT with HTTP 1.0 returns internal IP address
  - From: Simone Bordet

References:
- [jetty-users] NAT with HTTP 1.0 returns internal IP address
  - From: martijn.list

Prev by Date: Re: [jetty-users] Digest Authentication not working
Next by Date: Re: [jetty-users] Digest Authentication not working
Previous by thread: [jetty-users] NAT with HTTP 1.0 returns internal IP address
Next by thread: Re: [jetty-users] NAT with HTTP 1.0 returns internal IP address
Index(es):
- Date
- Thread

Breadcrumbs