Closed
Bug 992979
Opened 11 years ago
Closed 11 years ago
Requests to air.mozilla.org with invalid HTTP_HOST header
Categories
(Infrastructure & Operations :: IT-Managed Tools, task)
Infrastructure & Operations
IT-Managed Tools
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: peterbe, Assigned: cturra)
References
()
Details
(Whiteboard: [change - configuration])
If you do::
$ curl -I https://air.mozilla.org./
You get a 500 error in django. That's because Apache forwards the request to the mod_wsgi (django) with HTTP_HOST header being 'air.mozilla.org.'
The django is only set up to allow 'air.mozilla.org' as an allowed host header. Anything outside that causes a `SuspiciousOperation` error in django.
Either a rogue bot or a badly formed hyperlink but I've received over 100 errors like this over the weekend. Is there anything we can do in Apache to reject/redirect these?
Assignee | ||
Comment 1•11 years ago
|
||
i have added the following rewrite rule to air-dev that should address this. can you please give it a review to ensure it's functioning as you expect?
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} air-dev.allizom.org\.$
+ RewriteRule ^/(.*)$ https://air-dev.allizom.org/$1 [L,R=301]
$ curl -IkL https://air-dev.allizom.org./auto-popcorn-test/
HTTP/1.1 301 Moved Permanently
Server: Apache
X-Backend-Server: generic1.dev.webapp.phx1.mozilla.com
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Date: Mon, 07 Apr 2014 18:23:38 GMT
Location: https://air-dev.allizom.org/auto-popcorn-test/
Transfer-Encoding: chunked
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Vary: X-Mobile,User-Agent,Cookie
Vary: Accept-Encoding
X-Backend-Server: generic1.dev.webapp.phx1.mozilla.com
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Date: Mon, 07 Apr 2014 18:23:38 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive
Set-Cookie: anoncsrf=64d6lpgai3dn7pRmld0qxHL2QvLjs60P; expires=Mon, 07-Apr-2014 20:23:41 GMT; httponly; Max-Age=7200; Path=/; secure
X-Frame-Options: DENY
Assignee: server-ops-webops → cturra
Flags: needinfo?(peterbe)
OS: Mac OS X → All
Hardware: x86 → All
Assignee | ||
Comment 3•11 years ago
|
||
thnx. i have pushed this change to stage and prod also.
$ curl -IkL https://air.mozilla.org./webmaker-demos-april-4/
HTTP/1.1 301 Moved Permanently
Server: Apache
X-Backend-Server: generic4.webapp.phx1.mozilla.com
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Date: Mon, 07 Apr 2014 22:21:25 GMT
Location: https://air.mozilla.org/webmaker-demos-april-4/
Transfer-Encoding: chunked
Connection: Keep-Alive
X-Cache-Info: caching
HTTP/1.1 200 OK
Server: Apache
Vary: X-Mobile,User-Agent,Cookie, Accept-Encoding
X-Backend-Server: generic5.webapp.phx1.mozilla.com
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Date: Mon, 07 Apr 2014 22:21:26 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive
Set-Cookie: anoncsrf=gZk6qatSKunX7qDXJ1uC7qBV6q1X9KQf; expires=Tue, 08-Apr-2014 00:21:26 GMT; httponly; Max-Age=7200; Path=/; secure
X-Frame-Options: DENY
X-Cache-Info: caching
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Whiteboard: [change - configuration]
You need to log in
before you can comment on or make changes to this bug.
Description
•