1 person found this helpful
Do not know what you are trying to accomplish, but note that the front host setting makes it possible that a certain host name is configured to which redirects are sent (when it is set it rejects the information contained in the host header). It does not change the host header (not to my knowledge anyway).
The documentation (3 Ensuring the Security of Your Production Environment) sheds some more light on this:
"When a request on a web application is redirected to another location, the Host header contained in the request is used by default in the Location header of the response. Because the Host header can be spoofed — that is, corrupted to contain a different host name and other parameters — this behavior can be exploited to launch a redirection attack on a third party.
To prevent the likelihood of this occurrence, set the FrontendHost attribute on either the WebserverMBean or ClusterMBean to specify the host to which all redirected URLs are sent. The host specified in the FrontendHost attribute will be used in the Location header of the response instead of the one contained in the original request."
"FrontendHost - The name of the host to which all redirected URLs will be sent.
Sets the HTTP FrontendHost for the default webserver (not virtual hosts) for all the servers in the cluster. Provides a method to ensure that the webapp will always have the correct HOST information, even when the request is coming through a firewall or a proxy. If this parameter is configured, the HOST header will be ignored and the information in this parameter will be used in its place, when constructing the absolute urls for redirects."
What I understand from this is that you set a host name (for example, google.com, or some other host name that is mapped to an IP-address, or the IP-address itself) to which the request is to be redirected (and if the application to which the redirect is going is not listening on any of the default HTTP ports (:80 or :443) you can define the port by using either frontend http port or frontend https port).
As a tool to monitor HTTP(S) traffic you can probably use fiddler ( Fiddler - The Free Web Debugging Proxy by Telerik), but the one you are using (HttpWatch) is doing the job as well.
So in other words, all of my requests are still being sent back to the application server like they normally would but this just puts the address of a web server, etc....in the returned header to the client, essentially masking the name or IP of the application server? Am I understanding that correctly?
When you configure the parameter FrontendHost, the Host header of the request is ignored, and the FrontendHost value is used in the Location header of the response (instead of the Host header value send by the client). This can be tested with HttpWatch, just fill in different values and see what is returned in the Location header (also try it with the FrontendHost parameter not set, in this case the Location header should take over the Host header value).
"Am I understanding that correctly?" Yes, only FrontendHost it not really used for masking, but more to prevent redirect attacks on third parties.
Thanks for the clarification. I think I have the info I need now....much appreciated.