HOST header injection

arlinux · March 23, 2020, 2:57pm

Hello,

I have HA-Proxy version 1.8.19 running.

curl -I -H "Host:www.bing.com" http://www.mydomain.net
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://www.bing.com/

Could someone advise on how to avoid such HOST header injection ?

Thanks!
Ash

lukastribus · March 23, 2020, 7:12pm

What header injection? You are making a normal HTTP request and specifying a specific Host header.

arlinux · March 24, 2020, 2:31pm

Hello Lukas

Please refer:

curl -I -H "Host:www.bing.com" http://www.mydomain.net/landingpage

This gets Location: https://www.bing.com/landingpage

Is there a possible to keep validate HOST HEADER Injection is haproxy or any other config suggestions that can avoid ?

Many Thanks!
Ash

lukastribus · March 24, 2020, 2:57pm

Validate against what? A static list of yours? Sure, just use normal ACLs.

arlinux · March 26, 2020, 4:42am

Do you mean - If Host !mydomain.net - then deny ?

Could you please post here snippet of ACL’s and validation…

Thanks,
Ash

arlinux · March 26, 2020, 6:21am

Hello Lukas,

Tried this and it works. Do you foresee any other type of web-request’s issues with this config ?

http-request deny if !{ req.hdr(host) -i -m end mydomain.net }

Appreciate your help!

Best,
Ash

lukastribus · March 26, 2020, 11:03am

You probably want to prefix a dot at the domain, otherwise this would also other domains ending with that, like thatsmydomain.net for example.

But what makes sense in your situation really depends on what issue you are trying to solve, which is unclear to me at this point.

Topic		Replies	Views
Haproxy http to https redirect host header Help!	4	566	April 25, 2023
Haproxy backend Help!	26	1201	March 10, 2020
Haproxy remove cookie request Help!	3	2164	February 18, 2019
Aliasing or Redirecting the Web URLS Help!	15	13111	March 26, 2020
Dynamic server name and header Help!	3	2313	September 19, 2019