Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.

KEYCLOAK-5299 Document how to explicitly set permitted hostnames #268

Merged
merged 1 commit into from Dec 14, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
KEYCLOAK-5299 Document how to explicitly set permitted hostnames
  • Loading branch information
stianst committed Dec 14, 2017
commit a2b58aadee42af2c375b72e86dffc2cf23cc3770
1 change: 1 addition & 0 deletions server_admin/topics.adoc
Expand Up @@ -95,6 +95,7 @@ include::topics/events/admin.adoc[]
include::topics/export-import.adoc[]
include::topics/account.adoc[]
include::topics/threat.adoc[]
include::topics/threat/host.adoc[]
include::topics/threat/brute-force.adoc[]
include::topics/threat/clickjacking.adoc[]
include::topics/threat/ssl.adoc[]
Expand Down
40 changes: 40 additions & 0 deletions server_admin/topics/threat/host.adoc
@@ -0,0 +1,40 @@

=== Host

{project_name} uses the request URL for a number of things. For example, the URL sent in password reset emails.

By default, the request URL is based on the `Host` header and there is no check to make sure this URL is the valid and
correct URL.

If you are not using a load balancer or proxy in front of {project_name} that prevents invalid host headers, you must
explicitly configure what URLs should be accepted.

The following example will only permit requests to `localhost.localdomain` or `localhost`:

[source,xml,subs="attributes+"]
----
<subsystem xmlns="{subsystem_undertow_xml_urn}">
<server name="default-server" default-host="ignore">
...
<host name="default-host" alias="localhost.localdomain, localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
</subsystem>
----

The changes that have been made from the default config is to add the attribute `default-host="ignore"` and update the
attribute `alias`. `default-host="ignore"` prevents unknown hosts from being handled, while `alias` is used to list the
accepted hosts.

Here is the equivalent configuration using CLI commands:

[source,bash]
----
/subsystem=undertow/server=default-server:write-attribute(name=default-host,value=ignore)
/subsystem=undertow/server=default-server/host=default-host:write-attribute(name=alias,value=[localhost.localdomain, localhost]

:reload
----