Closed Bug 992979 Opened 11 years ago Closed 11 years ago

Requests to air.mozilla.org with invalid HTTP_HOST header

Categories

(Infrastructure & Operations :: IT-Managed Tools, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: peterbe, Assigned: cturra)

References

()

Details

(Whiteboard: [change - configuration])

If you do:: $ curl -I https://air.mozilla.org./ You get a 500 error in django. That's because Apache forwards the request to the mod_wsgi (django) with HTTP_HOST header being 'air.mozilla.org.' The django is only set up to allow 'air.mozilla.org' as an allowed host header. Anything outside that causes a `SuspiciousOperation` error in django. Either a rogue bot or a badly formed hyperlink but I've received over 100 errors like this over the weekend. Is there anything we can do in Apache to reject/redirect these?
i have added the following rewrite rule to air-dev that should address this. can you please give it a review to ensure it's functioning as you expect? + RewriteEngine On + RewriteCond %{HTTP_HOST} air-dev.allizom.org\.$ + RewriteRule ^/(.*)$ https://air-dev.allizom.org/$1 [L,R=301] $ curl -IkL https://air-dev.allizom.org./auto-popcorn-test/ HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: generic1.dev.webapp.phx1.mozilla.com Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Strict-Transport-Security: max-age=15768000 ; includeSubDomains Date: Mon, 07 Apr 2014 18:23:38 GMT Location: https://air-dev.allizom.org/auto-popcorn-test/ Transfer-Encoding: chunked Connection: Keep-Alive HTTP/1.1 200 OK Server: Apache Vary: X-Mobile,User-Agent,Cookie Vary: Accept-Encoding X-Backend-Server: generic1.dev.webapp.phx1.mozilla.com Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=15768000 ; includeSubDomains Date: Mon, 07 Apr 2014 18:23:38 GMT Transfer-Encoding: chunked Connection: Keep-Alive Set-Cookie: anoncsrf=64d6lpgai3dn7pRmld0qxHL2QvLjs60P; expires=Mon, 07-Apr-2014 20:23:41 GMT; httponly; Max-Age=7200; Path=/; secure X-Frame-Options: DENY
Assignee: server-ops-webops → cturra
Flags: needinfo?(peterbe)
OS: Mac OS X → All
Hardware: x86 → All
r+
Flags: needinfo?(peterbe)
thnx. i have pushed this change to stage and prod also. $ curl -IkL https://air.mozilla.org./webmaker-demos-april-4/ HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: generic4.webapp.phx1.mozilla.com Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Strict-Transport-Security: max-age=15768000 ; includeSubDomains Date: Mon, 07 Apr 2014 22:21:25 GMT Location: https://air.mozilla.org/webmaker-demos-april-4/ Transfer-Encoding: chunked Connection: Keep-Alive X-Cache-Info: caching HTTP/1.1 200 OK Server: Apache Vary: X-Mobile,User-Agent,Cookie, Accept-Encoding X-Backend-Server: generic5.webapp.phx1.mozilla.com Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=15768000 ; includeSubDomains Date: Mon, 07 Apr 2014 22:21:26 GMT Transfer-Encoding: chunked Connection: Keep-Alive Set-Cookie: anoncsrf=gZk6qatSKunX7qDXJ1uC7qBV6q1X9KQf; expires=Tue, 08-Apr-2014 00:21:26 GMT; httponly; Max-Age=7200; Path=/; secure X-Frame-Options: DENY X-Cache-Info: caching
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [change - configuration]
You need to log in before you can comment on or make changes to this bug.