Virtual service to only answer only HTTP/1.1 requests
We are wanting to prevent internal IP disclosure of real server IPs, by allowing only HTTP/1.1 requests
Application: HTTP web applications
What is the best way to configure our virtual service(s) to only answer only HTTP/1.1 requests?
|Steps to Reproduce:|
|Cause:||Web servers may be configured to send redirects to client requests. In some cases, specially crafted queries may be used to expose internal IP addresses. Typically this is done by sending a blank host header which can result in the server sending a redirect using its own IP address as the host name.|
However we can configure kemp to remove/strip out the HTTP location response header that is exposing the internal server IP.