We applied the patch 6.7.0.576 over 6.7.0.81 and after the patch we're not able to connect to the NAC via HA Proxy. We get the HTTP error 503 service unavailable.
The HA Proxy configuration of ours is
backend cara-out-8443
mode http
option httpchk GET /datamanagement/availability
http-check expect status 200
cookie JSESSIONID prefix nocache
default-server check check-ssl ssl verify none
server app1 NAC-SERVER_HOSTNAME:NAC-PORT cookie app1
Release : 6.7.0.576
From CARA version 6.7.3 onwards there was an additional security feature enabled that is to deny requests coming from anonymous HOST/IP's not listed under allowed Host. The mentioned configuration is doesn't address any direct vulnerability but adding an additional layer of security to protect against data injection, malicious access, XSS, which is controlled by below configuration in RA
Settings | Description |
http.request.header.enableHostHeaderFilter=true | This setting setting controls whether the filter of "Host" header values for HTTP requests is enabled or not. By default, the filter is
enabled.
|
http.request.header.allowedHosts= |
This setting allows adding exceptions for the "Host" header values that should be permitted by the filter. By default, it's empty which means that the filter will only allow the values.
The format is the comma-separated hostnames or IP addresses. For example, "http.request.header.allowedHosts=localhost, 127.0.0.1"
|
Please refer Tech Doc Security Configuration for more details.
The reason for HTTP ERROR 503 is because, as per current HAProxy configuration the HOST header is not passed in availability check i.e. /datamanagement/availability request.
The recommended solution is to pass the HOST Header in the availability check request via HAProxy.
Example configuration for HAProxy 2.4.*
backend cara-out-8443
mode http
option httpchk
http-check send meth GET uri /datamanagement/availability hdr Host HOSTNAME_IP_OF_HAPROXY
http-check expect status 200
cookie JSESSIONID prefix nocache
default-server check check-ssl ssl verify none
server app1 NAC-SERVER_HOSTNAME:NAC-PORT cookie app1
Alternative solution/workaround
Disable Host Header checking by configuring HOST http.request.