New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KEYCLOAK-5299 Document how to explicitly set permitted hostnames #268

Merged
merged 1 commit into from Dec 14, 2017
Jump to file or symbol
Failed to load files and symbols.
+41 −0
Diff settings

Always

Just for now

KEYCLOAK-5299 Document how to explicitly set permitted hostnames

  • Loading branch information...
stianst committed Dec 14, 2017
commit a2b58aadee42af2c375b72e86dffc2cf23cc3770
View
@@ -95,6 +95,7 @@ include::topics/events/admin.adoc[]
include::topics/export-import.adoc[]
include::topics/account.adoc[]
include::topics/threat.adoc[]
include::topics/threat/host.adoc[]
include::topics/threat/brute-force.adoc[]
include::topics/threat/clickjacking.adoc[]
include::topics/threat/ssl.adoc[]
@@ -0,0 +1,40 @@
=== Host
{project_name} uses the request URL for a number of things. For example, the URL sent in password reset emails.
By default, the request URL is based on the `Host` header and there is no check to make sure this URL is the valid and
correct URL.
If you are not using a load balancer or proxy in front of {project_name} that prevents invalid host headers, you must
explicitly configure what URLs should be accepted.
The following example will only permit requests to `localhost.localdomain` or `localhost`:
[source,xml,subs="attributes+"]
----
<subsystem xmlns="{subsystem_undertow_xml_urn}">
<server name="default-server" default-host="ignore">
...
<host name="default-host" alias="localhost.localdomain, localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
</subsystem>
----
The changes that have been made from the default config is to add the attribute `default-host="ignore"` and update the
attribute `alias`. `default-host="ignore"` prevents unknown hosts from being handled, while `alias` is used to list the
accepted hosts.
Here is the equivalent configuration using CLI commands:
[source,bash]
----
/subsystem=undertow/server=default-server:write-attribute(name=default-host,value=ignore)
/subsystem=undertow/server=default-server/host=default-host:write-attribute(name=alias,value=[localhost.localdomain, localhost]
:reload
----
ProTip! Use n and p to navigate between commits in a pull request.