On 2019-03-01, Kihaguru Gathura <[email protected]> wrote:
> RESULTS:
> GET / HTTP/1.0
>
> HTTP/1.0 302 Found
> Date: Fri, 01 Mar 2019 15:08:31 GMT
> Server: OpenBSD httpd
> Connection: close
> Content-Type: text/html
> Content-Length: 419
> Location: https://192.168.1.101/
> server "xyz.com" {
> listen on * port 80
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> request strip 2
> }
> location * {
> block return 302 "https://$HTTP_HOST$REQUEST_URI";
> }
> }
In this case the redirect is coming from your configuration.
You have configured httpd to redirect http://whatever/path to
https://whatever/path, using the value of "whatever" exactly as
provided by the client.
It isn't an information disclosure though - the only way
this string is used in the redirect is if the client *already*
knows the address and has supplied it in the Host header.
If you don't want to use the client-supplied host header (which
in this case is an internal IP) in the redirect, don't use
$HTTP_HOST in the redirect string, use a fixed name instead.
There's another cases where httpd generates its own redirects
(not configurable): when you request a directory name without a
trailing /. In that case it always uses the value of the Host
variable to build it and there's no way to disable it.
But as before, it is only supplying the client with information
that the client already knows and supplied to the server.
