Mass virtual hosting security tip when using a reverse proxy to connect to other servers
Yesterday, I realized there was a security flaw in the setup of our mass virtual hosting configuration in the Nginx web server. Mass virtual hosting allows me to map host names to their respective directories on the filesystem without having to make a duplicate configuration for every domain.
To do mass virtual hosting in Nginx, you can use a wildcard server name like "server_name www.*;" to match all domains like www.domain1.com, www.domain2.com, etc. Then I use url rewrites with regular expressions to map all the urls for my application and to set the root path for each host name.
When it gets down to the part where Nginx calls Railo, I had it setup to use this configuration line in nginx.conf:
The problem with doing that is that it will also match for domains that don't exist if a user sends false dns information to the server. Some robots were doing this to attempt to do a denial of service attack on remote domains such as the FBI and other servers. Because of the non-standard port, 8888, these connections were timing out instead of hitting the fbi.gov home page. Even though it wasn't letting them hitting the fbi, it was still a security flaw and allowed some abuse of our server.
I realized that it is more correct to use a local ip address in the Nginx proxy_pass:
Then you set some proxy headers in Nginx so Railo can read the original host name and remote ip address.
proxy_set_header HTTP_HOST $host;
proxy_set_header REMOTE_ADDR $remote_addr;
Also in /opt/railo/tomcat/conf/server.xml, I needed to set the host name to be a matching static ip like this:
<Host name="127.0.0.1" appBase="webapps" unpackWARs="true" autoDeploy="true" ><Context path="" docBase="/home/path/to/root" /></Host>
You might also need to change the engine to use 127.0.0.1 as the default host.
<Engine name="Catalina" defaultHost="127.0.0.1">
After restarting Nginx and Railo, it still doesn't automatically work.
In Railo, cgi.http_host will equal 127.0.0.1, which means you can't use that variable to map the request to a specific host name anymore. To access the proxy header, you must use code like this in CFML:
Since my application was already using duplicate of the cgi scope everywhere, I only had to change this in one place to switch from using name based virtual host to a static ip.
These small changes allowed me to continue using mass virtual hosting configuration while making it more secure.
Bookmark & Share
Popular tags on this blogPerformance |
Most Popular Articles
- Solution for MariaDB Field 'xxx' doesn't have a default value
- How to lock Windows immediately upon smart card removal
- Stop using sleep mode with Windows Bitlocker for better security. Learn how to use hibernate in Windows 8.
- Is Google Public DNS actually better then your ISP?
- Planning a system to visually create responsive data-driven web page layouts & widgets in the Jetendo CMS browser interface
- Pros and Cons of CFML vs PHP and other languages
- Run Windows Guest in CentOS 6 Linux Host using Virtualbox 4 via the command line
- SSL Certificate and Nginx management features now built-in to Jetendo CMS