Re: httpd: expand HTTP Host

Mon, 13 Mar 2017 11:23:52 -0700 

Hi!

Host header is mandatory for HTTP 1.1 requests and httpd will return
400 Bad request without it. With HTTP 1.0 requests I get 301 to the
IP the httpd is running on.

Connected to 10.XXX
Escape character is '^]'.
GET / HTTP/1.0\r\n\r\n

HTTP/1.0 301 Moved Permanently
Date: Mon, 13 Mar 2017 18:20:48 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 443
Location: https://10.XXX/

Rivo

On 13/03/2017, 20:10, "Florian Obser" <flor...@openbsd.org> wrote:

    On Sat, Mar 11, 2017 at 06:11:53PM +0000, Rivo Nurges wrote:
    > Hi!
    > 
    > Following will add possibility to expand $HTTP_HOST to the HTTP
    > Host header in "block return".
    > 
    > In my setup I have relayd on port 443 and httpd on 80. This patch
    > allows me to redirect http(httpd) to https(relayd) without knowing
    > the host.
    > 
    > /etc/httpd.conf:
    > server "redirect" {
    >   listen on * port 80
    >   block return 301 "https://$HTTP_HOST$REQUEST_URI";
    > }
    > 
    > Rivo
    > 
    > Index: usr.sbin/httpd/server_http.c
    > ===================================================================
    > RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
    > retrieving revision 1.115
    > diff -u -p -r1.115 server_http.c
    > --- usr.sbin/httpd/server_http.c  10 Mar 2017 21:06:43 -0000      1.115
    > +++ usr.sbin/httpd/server_http.c  11 Mar 2017 17:51:23 -0000
    > @@ -1068,6 +1068,18 @@ server_expand_http(struct client *clt, c
    >           if (ret != 0)
    >                   return (NULL);
    >   }
    > + if (strstr(val, "$HTTP_HOST") != NULL) {
    > +         if (desc->http_host == NULL) {
    > +                 ret = expand_string(buf, len, "$HTTP_HOST", "");
    
    This will not create a working redirect. Should we return 500 instead
    if there is no host header?
    
    What is nginx doing in that case?
    
    nginx has $http_host and $host, $host is assigned the host header and
    if that doesn't exist the server name. (Wouldn't help in your case
    since it would redirect to https://redirect/).
    
    Other than this looks good.
    
    > +         } else {
    > +                 if ((str = url_encode(desc->http_host)) == NULL)
    > +                         return (NULL);
    > +                 ret = expand_string(buf, len, "$HTTP_HOST", str);
    > +                 free(str);
    > +         }
    > +         if (ret != 0)
    > +                 return (NULL);
    > + }
    >   if (strstr(val, "$REMOTE_") != NULL) {
    >           if (strstr(val, "$REMOTE_ADDR") != NULL) {
    >                   if (print_host(&clt->clt_ss,
    > Index: usr.sbin/httpd/httpd.conf.5
    > ===================================================================
    > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
    > retrieving revision 1.79
    > diff -u -p -r1.79 httpd.conf.5
    > --- usr.sbin/httpd/httpd.conf.5   7 Feb 2017 12:27:42 -0000       1.79
    > +++ usr.sbin/httpd/httpd.conf.5   11 Mar 2017 17:51:23 -0000
    > @@ -221,6 +221,8 @@ The configured IP address of the server.
    >  The configured TCP server port of the server.
    >  .It Ic $SERVER_NAME
    >  The name of the server.
    > +.It Ic $HTTP_HOST
    > +The host from the HTTP Host header.
    >  .It Pf % Ar n
    >  The capture index
    >  .Ar n
    > 
    > begin-base64 644 http_host.diff
    > 
SW5kZXg6IHVzci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMKPT09PT09PT09PT09PT09PT09PT09
    > 
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog
    > 
L2N2cy9zcmMvdXNyLnNiaW4vaHR0cGQvc2VydmVyX2h0dHAuYyx2CnJldHJpZXZpbmcgcmV2aXNp
    > 
b24gMS4xMTUKZGlmZiAtdSAtcCAtcjEuMTE1IHNlcnZlcl9odHRwLmMKLS0tIHVzci5zYmluL2h0
    > 
dHBkL3NlcnZlcl9odHRwLmMJMTAgTWFyIDIwMTcgMjE6MDY6NDMgLTAwMDAJMS4xMTUKKysrIHVz
    > 
ci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMJMTEgTWFyIDIwMTcgMTc6NTE6MjMgLTAwMDAKQEAg
    > 
LTEwNjgsNiArMTA2OCwxOCBAQCBzZXJ2ZXJfZXhwYW5kX2h0dHAoc3RydWN0IGNsaWVudCAqY2x0
    > 
LCBjCiAJCWlmIChyZXQgIT0gMCkKIAkJCXJldHVybiAoTlVMTCk7CiAJfQorCWlmIChzdHJzdHIo
    > 
dmFsLCAiJEhUVFBfSE9TVCIpICE9IE5VTEwpIHsKKwkJaWYgKGRlc2MtPmh0dHBfaG9zdCA9PSBO
    > 
VUxMKSB7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1ZiwgbGVuLCAiJEhUVFBfSE9TVCIsICIi
    > 
KTsKKwkJfSBlbHNlIHsKKwkJCWlmICgoc3RyID0gdXJsX2VuY29kZShkZXNjLT5odHRwX2hvc3Qp
    > 
KSA9PSBOVUxMKQorCQkJCXJldHVybiAoTlVMTCk7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1
    > 
ZiwgbGVuLCAiJEhUVFBfSE9TVCIsIHN0cik7CisJCQlmcmVlKHN0cik7CisJCX0KKwkJaWYgKHJl
    > 
dCAhPSAwKQorCQkJcmV0dXJuIChOVUxMKTsKKwl9CiAJaWYgKHN0cnN0cih2YWwsICIkUkVNT1RF
    > 
XyIpICE9IE5VTEwpIHsKIAkJaWYgKHN0cnN0cih2YWwsICIkUkVNT1RFX0FERFIiKSAhPSBOVUxM
    > 
KSB7CiAJCQlpZiAocHJpbnRfaG9zdCgmY2x0LT5jbHRfc3MsCkluZGV4OiB1c3Iuc2Jpbi9odHRw
    > 
ZC9odHRwZC5jb25mLjUKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
    > 
PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2N2cy9zcmMvdXNyLnNiaW4vaHR0
    > 
cGQvaHR0cGQuY29uZi41LHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjc5CmRpZmYgLXUgLXAgLXIx
    > 
Ljc5IGh0dHBkLmNvbmYuNQotLS0gdXNyLnNiaW4vaHR0cGQvaHR0cGQuY29uZi41CTcgRmViIDIw
    > 
MTcgMTI6Mjc6NDIgLTAwMDAJMS43OQorKysgdXNyLnNiaW4vaHR0cGQvaHR0cGQuY29uZi41CTEx
    > 
IE1hciAyMDE3IDE3OjUxOjIzIC0wMDAwCkBAIC0yMjEsNiArMjIxLDggQEAgVGhlIGNvbmZpZ3Vy
    > 
ZWQgSVAgYWRkcmVzcyBvZiB0aGUgc2VydmVyLgogVGhlIGNvbmZpZ3VyZWQgVENQIHNlcnZlciBw
    > 
b3J0IG9mIHRoZSBzZXJ2ZXIuCiAuSXQgSWMgJFNFUlZFUl9OQU1FCiBUaGUgbmFtZSBvZiB0aGUg
    > 
c2VydmVyLgorLkl0IEljICRIVFRQX0hPU1QKK1RoZSBob3N0IGZyb20gdGhlIEhUVFAgSG9zdCBo
    > ZWFkZXIuCiAuSXQgUGYgJSBBciBuCiBUaGUgY2FwdHVyZSBpbmRleAogLkFyIG4K
    > ====
    > 
    
    -- 
    I'm not entirely sure you are real.

Reply via email to