[jetty-users] NAT with HTTP 1.0 returns internal IP address

Discussion:

martijn.list

2013-04-04 07:15:27 UTC

Hi,

I hope you can help me with this minor problem.

If Jetty is installed on a server with a NAT'd IP address, connecting
with HTTP 1.0 returns the internal IP address. This is understandable
since HTTP 1.0 does not support the Host parameter. However it's not
clear to me how to solve this.
Some suggestions that I have found, suggest to set the "hostHeader" on
the connector but this also requires that "forwarded" is set which is
not what I want since I do not want to support forwarding, I only want
to override what's returned by "ServletRequest#getServerName()" if using
HTTP 1.0 (or if the Host attribute is missing).

Two questions:

1. Can I completely disable support for HTTP 1.0 (probably not). The
main reason for this request is that sometimes clients do not want to
"leak" the internal IP address if using NAT and for normal use.

2. Can I set a connection attribute which overrides the default
"ServletRequest#getServerName()" if using HTTP 1.0 or if the Host
parameter is not set?

Kind regards,

Martijn Brinkers

martijn.list

2013-04-08 08:47:01 UTC

Permalink

Post by martijn.list
I hope you can help me with this minor problem.
If Jetty is installed on a server with a NAT'd IP address, connecting
with HTTP 1.0 returns the internal IP address. This is understandable
since HTTP 1.0 does not support the Host parameter. However it's not
clear to me how to solve this.
Some suggestions that I have found, suggest to set the "hostHeader" on
the connector but this also requires that "forwarded" is set which is
not what I want since I do not want to support forwarding, I only want
to override what's returned by "ServletRequest#getServerName()" if using
HTTP 1.0 (or if the Host attribute is missing).
1. Can I completely disable support for HTTP 1.0 (probably not). The
main reason for this request is that sometimes clients do not want to
"leak" the internal IP address if using NAT and for normal use.
2. Can I set a connection attribute which overrides the default
"ServletRequest#getServerName()" if using HTTP 1.0 or if the Host
parameter is not set?

Since I didn't get any answer, it might be that I have not been clear
enough what the problem is I'm trying to fix.

To illustrate my point I'll provide an example of the "HTTP 1.0 shows
the internal IP address" problem.

Connect with telnet to a Jetty server on port 89 (in this example I use
www.webtide.com) issue a GET with the HTTP 1.0 protocol:

telnet www.webtide.com 80

Trying 72.32.76.94...
Connected to www.webtide.com.
Escape character is '^]'.
GET index.html HTTP/1.0

HTTP/1.1 302 Found
Location: https://192.168.100.94:443index.html
Content-Length: 0
Server: Jetty(9.0.1-SNAPSHOT)

Connection closed by foreign host.

The Location header in the HTTP response tells me to connect to an
internal IP address 192.168.100.94. There are two problems with this:

1. Since it's an internal IP address, connecting to this address will
never work from outside

2. The internal IP address is "leaked". Some companies with strict
security regulations do not like the internal IP addresses to be
"leaked" to the outside.

With Tomcat, you can set the proxyName which is used with HTTP 1.0.

I have two questions which I hope someone can help me with:

1. Can I completely disable support for HTTP 1.0. The
main reason for this request is that sometimes clients do not want to
"leak" the internal IP address if using NAT and for normal use.

2. Can I set a connection attribute which overrides the default
"ServletRequest#getServerName()" if using HTTP 1.0 or if the Host
parameter is not set?

Kind regards,

Martijn Brinkers

Simone Bordet

2013-04-08 15:15:37 UTC

Permalink

Martijn,

Post by martijn.list
Connect with telnet to a Jetty server on port 89 (in this example I use
telnet www.webtide.com 80
Trying 72.32.76.94...
Connected to www.webtide.com.
Escape character is '^]'.
GET index.html HTTP/1.0
HTTP/1.1 302 Found
Location: https://192.168.100.94:443index.html
Content-Length: 0
Server: Jetty(9.0.1-SNAPSHOT)
Connection closed by foreign host.
The Location header in the HTTP response tells me to connect to an internal

So I tried and I can reproduce; if I use HTTP 1.1, then I get the
correct Location header.
Reproducible test cases make miracles in reply speed :)

Seems a bug, investigating.

Can you please open an issue regarding this, and report here the bugzilla ID ?

Thanks !

--
Simone Bordet
----
http://cometd.org
http://webtide.com
http://intalio.com
Developer advice, training, services and support
from the Jetty & CometD experts.
Intalio, the modern way to build business applications.

Simone Bordet

2013-04-08 16:05:03 UTC

Permalink

Hi,

Post by Simone Bordet
Martijn,

So I tried and I can reproduce; if I use HTTP 1.1, then I get the
correct Location header.
Reproducible test cases make miracles in reply speed :)
Seems a bug, investigating.

What Jetty version, BTW ?

We can handle this in Jetty 9 by adding a secureHost property to
HttpConfiguration (along with already existing securePort and
secureScheme).

--
Simone Bordet
----
http://cometd.org
http://webtide.com
http://intalio.com
Developer advice, training, services and support
from the Jetty & CometD experts.
Intalio, the modern way to build business applications.

martijn.list

2013-04-08 16:43:55 UTC

Permalink

Post by Simone Bordet
Hi,

Post by Simone Bordet
Martijn,

So I tried and I can reproduce; if I use HTTP 1.1, then I get the
correct Location header.
Reproducible test cases make miracles in reply speed :)
Seems a bug, investigating.

What Jetty version, BTW ?

I'm using Jetty 8 but I think the problem occurs with all Jetty versions.

Post by Simone Bordet
We can handle this in Jetty 9 by adding a secureHost property to
HttpConfiguration (along with already existing securePort and
secureScheme).

But isn't this only for SSL?

Kind regards,

Martijn Brinkers

Simone Bordet

2013-04-08 16:50:25 UTC

Permalink

Hi,

Post by martijn.list
But isn't this only for SSL?

Not sure what you mean here, but the "redirection" happens at the HTTP
level, not at the connection level.
As such, it is part of the HTTP configuration.

We're going to fix this for Jetty 9, unlikely that we fix it for
previous Jetty versions, unless priorities change.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
http://intalio.com
Developer advice, training, services and support
from the Jetty & CometD experts.
Intalio, the modern way to build business applications.

martijn.list

2013-04-08 19:33:10 UTC

Permalink

Post by Simone Bordet
Hi,

Post by martijn.list
But isn't this only for SSL?

Not sure what you mean here, but the "redirection" happens at the HTTP
level, not at the connection level.
As such, it is part of the HTTP configuration.

According to the Javadoc, securePort is "The port to which Integral or
Confidential security constraints are redirected". However in my view
the problem is related to what ServletRequest#getServerName() returns
*if* the Location header is not set.

It looks like the implementation of ServletRequest#getServerName()
fallsback to using InetAddress#getLocalHost() if the Location header of
the request is not set. What I would like is to override what's being
returned by ServletRequest#getServerName() if the Location header is not
set (i.e., allow me to override the default return of the local IP
address). I think this is needed since a lot of Java web frameworks use
ServletRequest#getServerName() for generating a redirect URL.

For example Tomcat allows you to set a proxyName parameter on the connector:

"proxyName: If this Connector is being used in a proxy configuration,
configure this attribute to specify the server name to be returned for
calls to request.getServerName(). See Proxy Support for more information."

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

Kind regards,

Martijn Brinkers

Post by Simone Bordet
We're going to fix this for Jetty 9, unlikely that we fix it for
previous Jetty versions, unless priorities change.

:( ok. I'll checkout Jetty 9

Kind regards,

Martijn Brinkers

Simone Bordet

2013-06-10 08:38:59 UTC

Permalink

Hi,

It looks like the implementation of ServletRequest#getServerName() fallsback
to using InetAddress#getLocalHost() if the Location header of the request
is not set. What I would like is to override what's being returned by
ServletRequest#getServerName() if the Location header is not set (i.e.,
allow me to override the default return of the local IP address). I think
this is needed since a lot of Java web frameworks use
ServletRequest#getServerName() for generating a redirect URL.
"proxyName: If this Connector is being used in a proxy configuration,
configure this attribute to specify the server name to be returned for calls
to request.getServerName(). See Proxy Support for more information."
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

For the record, this is now available out of the box in Jetty 9 using
a HostHeaderCustomizer, see
http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-server/src/main/java/org/eclipse/jetty/server/HostHeaderCustomizer.java.

Will be in 9.0.4.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
http://intalio.com
Developer advice, training, services and support
from the Jetty & CometD experts.
Intalio, the modern way to build business applications.

martijn.list

2013-04-08 16:41:04 UTC

Permalink

Post by Simone Bordet
Martijn,

Thanks for the swift response,

Bug filed under Bugzilla ID: 405188

https://bugs.eclipse.org/bugs/show_bug.cgi?id=405188

Kind regards,

Martijn Brinkers

Continue reading on narkive:

Search results for '[jetty-users] NAT with HTTP 1.0 returns internal IP address' (Questions and Answers)

replies

The router has two IP addresses?

started 2010-12-30 13:22:35 UTC

programming & design

replies

A qtn on IP address and default gateway address.?

started 2009-02-11 10:13:50 UTC

computer networking

replies

Is there two IP addresses that identify you.?