CKB:The internal IP address is revealed in HTTP1.0

Aus Cryptshare Documentation
Version vom 30. Dezember 2022, 14:00 Uhr von Frorathm (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu:Navigation, Suche

Applies to

All versions of Cryptshare Server

Symptom

When requesting a page from a Cryptshare Server, the internal IP address of the server is revealed:

nc my.cryptshare.server 80

GET / HTTP/1.0

HTTP/1.1 302 Found
Date: Fri, 12 Jun 2015 07:43:06 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: http://10.0.1.1/Start
Content-Length: 0

Cause

HTTP 1.0 does not support the host-header and the Jetty Server therefore uses the server IP address instead.


Solution

For each Jetty configuration file (User,- and Administration Interface) an additional customizer must be added for both Http-Configurations (http,https).

  1. open the Jetty XML configuration file for which the configuration shall be made
    1. user Interface: 'resources/WEB-INF/ui-config.xml'
    2. administration Interface: 'resources/WEB-INF/ai-config.xml
  2. introduce a 'New'-Tag for a HostHeaderCustomizer
  3. add a 'Call'-Tag for the new customizer for httpConfig-section
  4. add a 'Call'-Tag for the new customizer for tlsHttpConfig-section
  5. save changes
  6. restart Cryptshare Server
Please edit your config files accordingly

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New class="org.eclipse.jetty.server.HostHeaderCustomizer" id="hostHeaderCustomizer">
        <Arg>myServerName</Arg>
    </New>
    [...]
     <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        [...]
        <Call name="addCustomizer">
            <Arg>
                <Ref refid="hostHeaderCustomizer" />
            </Arg>
        </Call>
     </New>
     <New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        [...]
        <Call name="addCustomizer">
            <Arg>
                <Ref refid="hostHeaderCustomizer" />
            </Arg>
        </Call>
     </New>
     [...]
</Configure>
Example config-files
This are example config files to be checked if they fit to your environment (Passwords, Cipher Suites, Ports, Names...).
Please remember to change YourServerName to the Name of your Server.
ai-config.xml with deactivated HTTP1.0 Expand source

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
<New class="org.eclipse.jetty.server.HostHeaderCustomizer" id="hostHeaderCustomizer">
<Arg>YourServerName</Arg>
</New>
<New id="sslContextFactory" class="com.befinesolutions.cryptshare.server.CSSSLContextFactory">
<Set name="KeyStorePath">lib/security/keystore</Set>
<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
<Set name="TrustStorePath">
<SystemProperty name="java.home" default="."/>/lib/security/cacerts
</Set>
<Set name="TrustStorePassword">changeit</Set>
<Set name="protocol">TLSv1.2</Set>
<Set name="renegotiationAllowed">false</Set>
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1.2</Item>
</Array>
</Set>
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>SSLv2Hello</Item>
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
</Array>
</Set>
<Set name="includeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
<Set name="excludeCipherSuites">
<Array type="java.lang.String">
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
<Item>TLS_RSA.*</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort">
<SystemProperty name="cryptshare.ai.https.port" default="8080"/>
</Set>
<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>
<Set name="sendServerVersion">
<Property name="jetty.send.server.version" default="true"/>
</Set>
<Call name="addCustomizer">
<Arg>
<Ref refid="hostHeaderCustomizer" />
</Arg>
</Call>
</New>
<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg>
<Ref refid="httpConfig"/>
</Arg>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>
</Arg>
</Call>
<Call name="addCustomizer">
<Arg>
<Ref refid="hostHeaderCustomizer" />
</Arg>
</Call>
</New>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Cryptshare"/>
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="httpConfig"/>
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host">
<Property name="jetty.host"/>
</Set>
<Set name="port">
<SystemProperty name="cryptshare.ai.http.port" default="9090"/>
</Set>
<Set name="idleTimeout">
<Property name="http.timeout" default="10000"/>
</Set>
<Set name="soLingerTime">
<Property name="http.soLingerTime" default="-1"/>
</Set>
</New>
</Arg>
</Call>
<Call id="sslConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Cryptshare"/>
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<Ref refid="sslContextFactory"/>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="tlsHttpConfig"/>
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host">
<Property name="jetty.host"/>
</Set>
<Set name="port">
<SystemProperty name="cryptshare.ai.https.port" default="8080"/>
</Set>
<Set name="idleTimeout">
<Property name="http.timeout" default="10000"/>
</Set>
<Set name="soLingerTime">
<Property name="http.soLingerTime" default="-1"/>
</Set>
</New>
</Arg>
</Call>
</Configure>
ui-config.xml with deactivated HTTP1.0 Expand source

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
<New class="org.eclipse.jetty.server.HostHeaderCustomizer" id="hostHeaderCustomizer">
<Arg>YourServerName</Arg>
</New>
<Arg name="threadpool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Arg name="minThreads" type="int">5</Arg>
<Arg name="maxThreads" type="int">25</Arg>
<Arg name="idleTimeout" type="int">1000</Arg>
<Arg name="queue">
<New class="java.util.concurrent.ArrayBlockingQueue">
<Arg type="int">200</Arg>
</New>
</Arg>
</New>
</Arg>
<New id="sslContextFactory" class="com.befinesolutions.cryptshare.server.CSSSLContextFactory">
<Set name="KeyStorePath">lib/security/keystore</Set>
<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
<Set name="TrustStorePath">
<SystemProperty name="java.home" default="."/>/lib/security/cacerts
</Set>
<Set name="TrustStorePassword">changeit</Set>
<Set name="protocol">TLSv1.2</Set>
<Set name="renegotiationAllowed">false</Set>
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1.2</Item>
</Array>
</Set>
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>SSLv2Hello</Item>
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
</Array>
</Set>
<Set name="includeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
<Set name="excludeCipherSuites">
<Array type="java.lang.String">
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
<Item>TLS_RSA.*</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort">
<SystemProperty name="cryptshare.ui.https.port" default="443"/>
</Set>
<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>
<Set name="sendServerVersion">
<Property name="jetty.send.server.version" default="true"/>
</Set>
<Call name="addCustomizer">
<Arg>
<Ref refid="hostHeaderCustomizer" />
</Arg>
</Call>
</New>
<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg>
<Ref refid="httpConfig"/>
</Arg>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>
</Arg>
</Call>
<Call name="addCustomizer">
<Arg>
<Ref refid="hostHeaderCustomizer" />
</Arg>
</Call>
</New>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Cryptshare"/>
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="httpConfig"/>
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host">
<Property name="jetty.host"/>
</Set>
<Set name="port">
<SystemProperty name="cryptshare.ui.http.port" default="80"/>
</Set>
<Set name="idleTimeout">
<Property name="http.timeout" default="15000"/>
</Set>
<Set name="soLingerTime">
<Property name="http.soLingerTime" default="-1"/>
</Set>
</New>
</Arg>
</Call>
<Call id="sslConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<Ref refid="Cryptshare"/>
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<Ref refid="sslContextFactory"/>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="tlsHttpConfig"/>
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host">
<Property name="jetty.host"/>
</Set>
<Set name="port">
<SystemProperty name="cryptshare.ui.https.port" default="443"/>
</Set>
<Set name="idleTimeout">
<Property name="http.timeout" default="15000"/>
</Set>
<Set name="soLingerTime">
<Property name="http.soLingerTime" default="-1"/>
</Set>
</New>
</Arg>
</Call>
</Configure>