是否有任何替代方案可以以编程方式覆盖“主机”header
[英]Are there any alternatives to overriding the 'host' header programatically
问题描述
I have two services I'm running locally on docker images.
我在 docker 图像上本地运行了两个服务。 One of them is an nginx server with configuration to proxy requests to various other services, and the other is a simple React GraphiQL UI.其中一个是 nginx 服务器,其配置为将请求代理到各种其他服务,另一个是简单的 React GraphiQL UI。
The nginx server is not explicitly set up to run on localhost, but when making requests with curl/postman I can explicitly set the host header to be that of the actual url (rather than localhost ) and it will then find the correct config and the request will succeed. The nginx server is not explicitly set up to run on localhost, but when making requests with curl/postman I can explicitly set the host header to be that of the actual url (rather than localhost ) and it will then find the correct config and the请求会成功。
The issue is that I would like to call the server from a local instance of my UI, but it's failing because I can't overwrite the host header.问题是我想从我的 UI 的本地实例调用服务器,但它失败了,因为我无法覆盖host header。 I've tried to manually add it to my react fetch request but when I check the request in the browser the header isn't there.我尝试将其手动添加到我的反应fetch请求中,但是当我在浏览器中检查请求时,header 不存在。 After some searching I then found some slack posts saying it's not possible, although no references to why.经过一番搜索,我发现一些松弛的帖子说这是不可能的,尽管没有提到原因。
return fetch(
edgeUrl(environment) + "/some/endpoint",
{
method: "POST",
headers: {
'Authorization': 'Bearer ' + getApiKey(partner, environment),
'host': 'actual.host.com',
'origin': 'http://localhost/'
},
body: JSON.stringify({ query })
}
)
Is there any other way to override the host used in requests?有没有其他方法可以覆盖请求中使用的主机? Possibly another http library I could use?可能我可以使用另一个 http 库? I'd prefer not to have to configure the nginx server for localhost as it is owned by another team.我不想为 localhost 配置 nginx 服务器,因为它由另一个团队拥有。
2 个解决方案
解决方案1
0 2021-04-20 09:36:42
You should not try change the host header.您不应该尝试更改主机 header。 The browser won't allow you to, and it's not the right way to do it.浏览器不允许您这样做,这不是正确的方法。
As I see it, you have 2 options:在我看来,您有两个选择:
Configure NGINX to accept requests to localhost, if that is its' actually hostname.
配置 NGINX 以接受对 localhost 的请求,如果那是它的实际主机名。Change the hosts file, to include your domain to point to 127.0.0.1, which is equivalent to adding it to DNS.
更改 hosts 文件,以包含指向 127.0.0.1 的域,这相当于将其添加到 DNS。
The Windows Hosts file is located here: C:\Windows\System32\drivers\etc\hosts . Windows 主机文件位于此处: C:\Windows\System32\drivers\etc\hosts 。
You should add the following to your hosts file after the comments # .您应该在注释#之后将以下内容添加到您的主机文件中。
actual.host.com 127.0.0.1
解决方案2
0 已采纳 2021-04-20 13:20:21
For anyone interested here's some information on possible attacks using the host header and why it's useful to validate it, which is what this service is doing.对于任何感兴趣的人,这里有一些关于使用主机 header 的可能攻击的信息,以及为什么验证它很有用,这就是该服务正在做的事情。
https://portswigger.net/web-security/host-header https://portswigger.net/web-security/host-header
https://infosecwriteups.com/identifying-escalating-http-host-header-injection-attacks-7586d0ff2c67 https://infosecwriteups.com/identifying-escalating-http-host-header-injection-attacks-7586d0ff2c67
I'm going to ask the other team if I can add localhost configuration to their nginx config so that I can make requests locally, looks like my coworker was misinformed in suggesting I override the host header.我将询问其他团队是否可以将 localhost 配置添加到他们的 nginx 配置中,以便我可以在本地发出请求,看起来我的同事在建议我覆盖主机 header 时被误导了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.