host differs to domain fronting proxy

[oxfordpete]

Our security team have now informed us that they are tightening controls in the proxy server configuration to block requests showing domain fronting behavior as this can be exploited and cause a potential security risk.
Specifically they say the HTTPAPI traffic via proxy will be blocked because the hostname and HTTP Host header differ.
I am guessing this is due to the "HTTP/1.1" appearing against the Host in the API headers?
Has anyone come across this issue. Is it configurable in any way?
Thanks
Pete

[Scott Klement]

Sorry, I don't understand. What do you mean by "the host name and the host header differ"? HTTP/1.1 is the version of HTTP and is required to be there, always... not sure what that has to do with security.

[oxfordpete]

basically it seems if i send an HTTP eg: post to server mywebsite.com but via a proxy the proxy_tunnel() code generates headers such as
CONNECT mywebsite.com:443 HTTP/1.1
Host: mywebsite.com HTTP/1.1
User-Agent: http-api/1.48
Proxy-Connection: keep-alive

Security team are implementing checks on proxy traffic that host: statement in the HTTP Header must match the destination server URL
ie: we need to generate below code so the Header is same as the target host
CONNECT mywebsite.com:443 HTTP/1.1
Host: mywebsite.com
User-Agent: http-api/1.48
Proxy-Connection: keep-alive

I have made a code change to proxy_tunnel() code and am currently testing all out HTTP connections, so far they all work without the HTTP/1.1 being appended to the Host: statement
Pete

[Scott Klement]

Oh, you're saying that HTTP/1.1 is somehow being added to the host: header? That shouldn't be happening.

[oxfordpete]

changed HTTPAPIR4 HTTPAPI Ver 1.48 as below

Code: Select all

    c                   eval      wwReq = 'CONNECT ' + %trim(peHost)                 
     c                                   + ':' + %trim(%editc(wwPort:'L'))            
     c                                   + ' HTTP/1.1'                                
     C                                   + CRLF                                       
                                                                                      
     c                   if        pePort = 0                                         
     c                   eval      wwReq = wwReq                                      
     C                                   + 'Host: ' + %trim(peHost)                   
xx01 c*****************************      + ' HTTP/1.1'                                
     C                                   + CRLF                                       
     c                   else                                                         
     c                   eval      wwReq = wwReq                                      
     C                                   + 'Host: ' + %trim(peHost)                   
     c                                   + ':' + %trim(%editc(pePort:'L'))            
xx01 c*****************************      + ' HTTP/1.1'                                
     C                                   + CRLF                                       
     c                   endif                                                        
                                                                                      
     c                   eval      wwReq = wwReq                                      
     C                                   + 'User-Agent: ' + HTTP_USERAGENT       

[Scott Klement]

Yeah, that shouldn't be in there... probably got accidentally added via copy/paste and nobody noticed because the proxy support worked.

Can you try the latest beta copy of HTTPAPI and see if it is resolved for you?
https://www.scottklement.com/httpapi/beta/