Forum OpenACS Development: Untrusted host header

Collapse
1: Untrusted host header
Posted by Iuri Sampaio on 07/07/18 07:30 PM
How would I correct headers when running OACS (Naviserver) behind a Nginx proxy.

Indeed, 127.0.0.1 and 8443 are present /etc/config.tcl file and I have no intention to assign external IP neither 443, because NGINX is there.

set httpsport 8443
# The hostname and address should be set to actual values.
# setting the address to 0.0.0.0 means aolserver listens on all interfaces
set hostname evex.co
set address_v4 127.0.0.1

Another parameter amended is proxy_mode. I expected it'd do the whole magic.
# Are we running behind a proxy?
#set proxy_mode false
set proxy_mode true

Is there anything else to amend in order to make OACS core capable to assign header values properly?

Futhermore, I've noticed before the warning, there are some validations referencing host_node_map.

[07/Jul/2018:13:12:38][2783.7fe0b0a3d700][-conn:evex:0:1032-] Notice: checking entry 127.0.0.1 from host_node_map ->

Is it possible to somehow create a pair with 127.0.0.1 ?
I tried so, but / is not available in the list of application to pair
I was expecting to resolve it by simply forwarding 127.0... to / (i.e. mainsite.)

[07/Jul/2018:13:12:38][2783.7fe0b0a3d700][-conn:evex:0:1032-] Warning: ignore untrusted host header field: '127.0.0.1:8443'

How would I fix the headers in order they have the correct host ?

Best wishes,

Collapse
2: Re: Untrusted host header (response to 1)
Posted by Malte Sussdorff on 12/26/20 07:40 AM
I stumbled upon this and just in case somebody else needs to figure this out.

For *util_current_location* to find the correct URL and not fall back, make sure to set the "Host" header in NGINX like

proxy_set_header Host $host:443;

Collapse
3: Re: Untrusted host header (response to 2)
Posted by Gustaf Neumann on 01/05/21 11:32 AM
The warning message with "Untrusted host header" comes, when the server receives a content in the "Host:" header field, which is not trusted. The host header field is used for determining the virtual server (one NaviServer instance can serve multiple different virtual servers, see e.g. [1]).

On OpenACS sites, in most cases, there is only one server configured. When the host header field contains a value, which is unknown, it falls back to the default server - which is for OpenACS the right thing. The accepted values are defined per driver in the */servers" section, where a domain name or IP address is mapped to the logical server (see e.g. [2]). In case, an OpenACS instance should be called under different names, these should be added to this section in the configuration file. Note that versions of NaviServer (4.99.16 or newer, see [3]) require less entries there.

When running behind a proxy, it is probably better to add the expected entry to the */servers section, since the host header sent to nginx could as well contain already a port, so the concatenation might be as well a problem.

All the best
-gn

[1] https://openacs.org/forums/message-view?message_id=5468281
[2] https://bitbucket.org/naviserver/naviserver/src/dfc6d8549ffab12b08d2d5f319e5f30b6799a7a7/openacs-config.tcl#lines-295
[3] https://bitbucket.org/naviserver/naviserver/src/dfc6d8549ffab12b08d2d5f319e5f30b6799a7a7/NEWS#lines-1649