Forum OpenACS Development: Re: Untrusted host header

Collapse
3: Re: Untrusted host header (response to 2)
Posted by Gustaf Neumann on
The warning message with "Untrusted host header" comes, when the server receives a content in the "Host:" header field, which is not trusted. The host header field is used for determining the virtual server (one NaviServer instance can serve multiple different virtual servers, see e.g. [1]).

On OpenACS sites, in most cases, there is only one server configured. When the host header field contains a value, which is unknown, it falls back to the default server - which is for OpenACS the right thing. The accepted values are defined per driver in the */servers" section, where a domain name or IP address is mapped to the logical server (see e.g. [2]). In case, an OpenACS instance should be called under different names, these should be added to this section in the configuration file. Note that versions of NaviServer (4.99.16 or newer, see [3]) require less entries there.

When running behind a proxy, it is probably better to add the expected entry to the */servers section, since the host header sent to nginx could as well contain already a port, so the concatenation might be as well a problem.

All the best
-gn

[1] https://openacs.org/forums/message-view?message_id=5468281
[2] https://bitbucket.org/naviserver/naviserver/src/dfc6d8549ffab12b08d2d5f319e5f30b6799a7a7/openacs-config.tcl#lines-295
[3] https://bitbucket.org/naviserver/naviserver/src/dfc6d8549ffab12b08d2d5f319e5f30b6799a7a7/NEWS#lines-1649