Page 1 of 1
host differs to domain fronting proxy
Posted: Thu Apr 11, 2024 11:12 am
by oxfordpete
Our security team have now informed us that they are tightening controls in the proxy server configuration to block requests showing domain fronting behavior as this can be exploited and cause a potential security risk.
Specifically they say the HTTPAPI traffic via proxy will be blocked because the hostname and HTTP Host header differ.
I am guessing this is due to the "HTTP/1.1" appearing against the Host in the API headers?
Has anyone come across this issue. Is it configurable in any way?
Thanks
Pete
Re: host differs to domain fronting proxy
Posted: Thu Apr 11, 2024 11:27 pm
by Scott Klement
Sorry, I don't understand. What do you mean by "the host name and the host header differ"? HTTP/1.1 is the version of HTTP and is required to be there, always... not sure what that has to do with security.
Re: host differs to domain fronting proxy
Posted: Mon Apr 15, 2024 1:36 pm
by oxfordpete
basically it seems if i send an HTTP eg: post to server mywebsite.com but via a proxy the proxy_tunnel() code generates headers such as
CONNECT mywebsite.com:443 HTTP/1.1
Host: mywebsite.com HTTP/1.1
User-Agent: http-api/1.48
Proxy-Connection: keep-alive
Security team are implementing checks on proxy traffic that host: statement in the HTTP Header must match the destination server URL
ie: we need to generate below code so the Header is same as the target host
CONNECT mywebsite.com:443 HTTP/1.1
Host: mywebsite.com
User-Agent: http-api/1.48
Proxy-Connection: keep-alive
I have made a code change to proxy_tunnel() code and am currently testing all out HTTP connections, so far they all work without the HTTP/1.1 being appended to the Host: statement
Pete
Re: host differs to domain fronting proxy
Posted: Mon Apr 15, 2024 9:24 pm
by Scott Klement
Oh, you're saying that HTTP/1.1 is somehow being added to the host: header? That shouldn't be happening.
Re: host differs to domain fronting proxy
Posted: Tue Apr 16, 2024 9:15 am
by oxfordpete
changed HTTPAPIR4 HTTPAPI Ver 1.48 as below
Code: Select all
c eval wwReq = 'CONNECT ' + %trim(peHost)
c + ':' + %trim(%editc(wwPort:'L'))
c + ' HTTP/1.1'
C + CRLF
c if pePort = 0
c eval wwReq = wwReq
C + 'Host: ' + %trim(peHost)
xx01 c***************************** + ' HTTP/1.1'
C + CRLF
c else
c eval wwReq = wwReq
C + 'Host: ' + %trim(peHost)
c + ':' + %trim(%editc(pePort:'L'))
xx01 c***************************** + ' HTTP/1.1'
C + CRLF
c endif
c eval wwReq = wwReq
C + 'User-Agent: ' + HTTP_USERAGENT
Re: host differs to domain fronting proxy
Posted: Tue Apr 16, 2024 7:36 pm
by Scott Klement
Yeah, that shouldn't be in there... probably got accidentally added via copy/paste and nobody noticed because the proxy support worked.
Can you try the latest beta copy of HTTPAPI and see if it is resolved for you?
https://www.scottklement.com/httpapi/beta/