Virtual service to only answer only HTTP/1.1 requests
Information
Summary: |
We are wanting to prevent internal IP disclosure of real server IPs, by allowing only HTTP/1.1 requests |
Environment: |
Product: VLM Version: Any Platform: Any Application: HTTP web applications |
Question/Problem Description: |
What is the best way to configure our virtual service(s) to only answer only HTTP/1.1 requests? |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: | Web servers may be configured to send redirects to client requests. In some cases, specially crafted queries may be used to expose internal IP addresses. Typically this is done by sending a blank host header which can result in the server sending a redirect using its own IP address as the host name. |
Resolution: |
However we can configure kemp to remove/strip out the HTTP location response header that is exposing the internal server IP. |
Workaround: | |
Notes: | https://support.kemptechnologies.com/hc/en-us/articles/203522429-How-to-Mitigate-Against-Internal-IP-Address-Domain-Name-Disclosure-In-Real-Server-Redirects |
Was this article helpful?
0 out of 0 found this helpful