Hi Mark, In the example above...the port remains the same (8143). How is it different? ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Friday, May 5, 2023 4:56 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: [EXTERNAL] Re: Question in regards to the Connector allowHostHeaderMismatch when it is set to "false"
5 May 2023 18:21:02 Alvaro Garay <alvaro.ga...@ibm.com.INVALID>: > Hi, > > > Tomcat version: 9.0.73 > > Operating system: Unix z/OS System > > > > I have a question in regard to the Connector attribute > allowHostHeaderMismatch=false which checks the request line is > consistent with the Host Header. > > So in this scenario, I have the request line using the absolute path > with a conflicting host header. The response is 400 Bad Request from > Tomcat, which makes sense. > > telnet myhostname.company.com 8143 > GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1 > Host: facebook.com > > > If I define a valid host header now, then the request is a success. So > all is good. > > telnet myhostname.company.com 8143 > GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1 > Host: myhostname.company.com > > telnet 1.1.1.1 8143 > GET http://1.1.1.1/api/v1/endpoint HTTP/1.1 > Host: 1.1.1.1 > > However, as soon as I define a port number in the host header with > syntax <hostname>:<port> then I get 400 Bad Request from Tomcat. > > telnet myhostname.company.com 8143 > GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1 > Host: myhostname.company.com:8143 > > HTTP/1.1 400 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 762 > Date: Fri, 05 May 2023 15:27:09 GMT > Connection: close > > <!doctype html><html lang="en"><head><title>HTTP Status 400 \u2013 Bad > Request</title><style type="text/css">body > {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a > {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 400 \u2013 Bad Request</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Description</b> The server cannot or will not > process the request due to something that is perceived to be a client > error (e.g., malformed request syntax, invalid request message framing, > or deceptive request routing).</p><hr class="line" /><h3>Apache > Tomcat/9.0.73</h3></body></html> > > This request should be allowed right? No. Different port means a different host so Tomcat correctly rejects the request. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
