4 Replies Latest reply: Jan 24, 2014 9:16 AM by the_assface RSS

    Frontend Host Configuring


      I have read the article on Middleware Magic on setting the front end host but when I hit the URL and observe it through httpWatch still shows the appserver/port as the "host".   Doesn't seem to matter what I put in there, it always returns the same thing in the host headers.  Questions:


      1) Is there another tool that shows the host headers and info coming back from the request?

      2) What format should I be filling this parameter in?   Should it have the entire URL in it (like http://sitportal1:7070/fc/Controller.jpf) or just a host name (like sitportal1).  The help doesn't seem to illustrate the format this needs to be input as.  I have tried it pointing the web server front end as well (sitweb2.company.com) but doesn't seem to return anything as the header but the name and port of the WebLogic app server.

      3) The application is deployed to a cluster and I've made the changes there as well, with the same results.   Yes, managed servers were restarted...


      I got points, who wants them?

        • 1. Re: Frontend Host Configuring
          René van Wijk

          Do not know what you are trying to accomplish, but note that the front host setting makes it possible that a certain host name is configured to which redirects are sent (when it is set it rejects the information contained in the host header). It does not change the host header (not to my knowledge anyway).


          The documentation (3 Ensuring the Security of Your Production Environment) sheds some more light on this:

          "When a request on a web application is redirected to another location, the Host header contained in the request is used by default in the Location header of the response. Because the Host header can be spoofed — that is, corrupted to contain a different host name and other parameters — this behavior can be exploited to launch a redirection attack on a third party.

          To prevent the likelihood of this occurrence, set the FrontendHost attribute on either the WebserverMBean or ClusterMBean to specify the host to which all redirected URLs are sent. The host specified in the FrontendHost attribute will be used in the Location header of the response instead of the one contained in the original request."


          or (http://docs.oracle.com/middleware/1212/wls/WLMBR/mbeans/ClusterMBean.html?skipReload=true#FrontendHost)


          "FrontendHost - The name of the host to which all redirected URLs will be sent.

          Sets the HTTP FrontendHost for the default webserver (not virtual hosts) for all the servers in the cluster. Provides a method to ensure that the webapp will always have the correct HOST information, even when the request is coming through a firewall or a proxy. If this parameter is configured, the HOST header will be ignored and the information in this parameter will be used in its place, when constructing the absolute urls for redirects."


          What I understand from this is that you set a host name (for example, google.com, or some other host name that is mapped to an IP-address, or the IP-address itself)  to which the request is to be redirected (and if the application to which the redirect is going is not listening on any of the default HTTP ports (:80 or :443) you can define the port by using either frontend http port or frontend https port).


          As a tool to monitor HTTP(S) traffic you can probably use fiddler ( Fiddler - The Free Web Debugging Proxy by Telerik), but the one you are using (HttpWatch) is doing the job as well.

          • 2. Re: Frontend Host Configuring

            So in other words, all of my requests are still being sent back to the application server like they normally would but this just puts the address of a web server, etc....in the returned header to the client, essentially masking the name or IP of the application server?  Am I understanding that correctly?

            • 3. Re: Frontend Host Configuring
              René van Wijk

              When you configure the parameter FrontendHost, the Host header of the request is ignored, and the FrontendHost value is used in the Location header of the response (instead of the Host header value send by the client). This can be tested with HttpWatch, just fill in different values and see what is returned in the Location header (also try it with the FrontendHost parameter not set, in this case the Location header should take over the Host header value).


              "Am I understanding that correctly?" Yes, only FrontendHost it not really used for masking, but more to prevent redirect attacks on third parties.

              • 4. Re: Frontend Host Configuring

                Thanks for the clarification.  I think I have the info I need now....much appreciated.