Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Content Delivery

Virtual service to only answer only HTTP/1.1 requests

Updated

 

Information

 

Summary:

We are wanting to prevent internal IP disclosure of real server IPs, by allowing only HTTP/1.1 requests
Environment:

Product: VLM

Version: Any

Platform: Any

Application: HTTP web applications
Question/Problem Description:

What is the best way to configure our virtual service(s) to only answer only HTTP/1.1 requests?
This is to prevent the HTTP location response header on the Bell Direct and Desktop Broker web applications from revealing internal IP addresses.
Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Web servers may be configured to send redirects to client requests. In some cases, specially crafted queries may be used to expose internal IP addresses. Typically this is done by sending a blank host header which can result in the server sending a redirect using its own IP address as the host name.
Resolution:

However we can configure kemp to remove/strip out the HTTP location response header that is exposing the internal server IP.

https://support.kemptechnologies.com/hc/en-us/articles/203522429-How-to-Mitigate-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects 
Workaround:  
Notes: https://support.kemptechnologies.com/hc/en-us/articles/203522429-How-to-Mitigate-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects 

Comments

In this document