Web Hosts Commands¶
In order to manage the location HTTP header in HTTP redirect responses to only include safe hosts, the web hosts command can be used with the required parameters.
This feature protects against host header injection during the http
-> https
redirect upon
login to VOSS Automate. The value supplied in the Host header is contained in the HTTP redirect response
in the Location
HTTP header.
The following Command Line Interface console display shows the available commands for web hosts.
web hosts add <hostname> - Add the hostname to the allowed hosts
web hosts del <hostname> - Delete the hostname from the allowed hosts
web hosts disable - Disables the allowed hosts feature
web hosts enable - Enables the allowed hosts feature, which blocks requests with unrecognised
HOST headers
web hosts list - Displays the additional allowed hosts
Enable the feature¶
$ web hosts enable
Enabling the allowed hosts feature requires the web server.
Do you wish to continue? y
Allowed hosts
enabled: true
hosts: value not set
Restarting nginx for settings to take effect
Application nginx processes stopped.
Application services:firewall processes stopped.
Reconfiguring applications...
Application nginx processes started.
After the feature is enabled and no hosts specified, the web server closes the connection.
Add and Delete a <hostname>¶
In this example, the hostname atlantic.net
is added.
$ web hosts add atlantic.net
Adding a new allowed host requires the web server to be restarted.
Do you wish to continue? y
Allowed hosts
enabled: true
hosts:
atlantic.net
Restarting nginx for settings to take effect
Application nginx processes stopped.
Application services:firewall processes stopped.
Reconfiguring applications...
Application nginx processes started.
Note
For hostname format, refer to for example: RFC 1035, RFC 2181 and RFC 4343.
To remove a hostname from the list (example is atlantic.net
):
$ web hosts del atlantic.net
Listing host names¶
Use the web hosts list command to show status and list all safe hosts
that can be in the Location
HTTP header.
$ web hosts list
Allowed hosts
enabled: true
hosts:
atlantic.net
Disabling the feature¶
The feature can be disabled with the web hosts disable command. This will disable port 80 on the web server completely.
$ web hosts disable
Disabling the allowed hosts feature requires the web server to be restarted.
Do you wish to continue? y
Allowed hosts
enabled: false
hosts: value not set
Restarting nginx for settings to take effect
Application nginx processes stopped.
Application services:firewall processes stopped.
Reconfiguring applications...
Application nginx processes started.