Web Hosts Commands#

In order to manage the location HTTP header in HTTP redirect responses to only include safe hosts, the web hosts command can be used with the required parameters.

This feature protects against host header injection during the http -> https redirect upon login to VOSS Automate. The value supplied in the Host header is contained in the HTTP redirect response in the Location HTTP header.

The following Command Line Interface console display shows the available commands for web hosts.

web hosts add <hostname>  - Add the hostname to the allowed hosts
web hosts del <hostname>  - Delete the hostname from the allowed hosts
web hosts disable         - Disables the allowed hosts feature
web hosts enable          - Enables the allowed hosts feature, which blocks requests with unrecognised
                              HOST headers
web hosts list            - Displays the additional allowed hosts

Enable the feature#

$ web hosts enable
Enabling the allowed hosts feature requires the web server.
Do you wish to continue? y
Allowed hosts
    enabled: true
    hosts: value not set


Restarting nginx for settings to take effect

Application nginx processes stopped.

Application services:firewall processes stopped.
Reconfiguring applications...
Application nginx processes started.

After the feature is enabled and no hosts specified, the web server closes the connection.

Add and Delete a <hostname>#

In this example, the hostname atlantic.net is added.

$ web hosts add atlantic.net
Adding a new allowed host requires the web server to be restarted.
Do you wish to continue? y
Allowed hosts
    enabled: true
    hosts:
        atlantic.net
Restarting nginx for settings to take effect
Application nginx processes stopped.
Application services:firewall processes stopped.
Reconfiguring applications...
Application nginx processes started.

Note

  • For hostname format, refer to for example: RFC 1035, RFC 2181 and RFC 4343.

To remove a hostname from the list (example is atlantic.net):

$ web hosts del atlantic.net

Listing host names#

Use the web hosts list command to show status and list all safe hosts that can be in the Location HTTP header.

$ web hosts list
Allowed hosts
    enabled: true
    hosts:
        atlantic.net

Disabling the feature#

The feature can be disabled with the web hosts disable command. This will disable port 80 on the web server completely.

$ web hosts disable
Disabling the allowed hosts feature requires the web server to be restarted.
Do you wish to continue? y
Allowed hosts
    enabled: false
    hosts: value not set
Restarting nginx for settings to take effect
Application nginx processes stopped.
Application services:firewall processes stopped.
Reconfiguring applications...
Application nginx processes started.