Re: [Jetty-support] Is Jetty able to specify allowed virtual hosts for a ip-adress?

[Chris H. <ch...@ha...>]

Don't use the value of the Host: header in an HTTP request as a security
attribute - it can easily be forged!


Am I right in assuming that your two physical interface cards are on separate
networks: one having a route via the DMZ to the Internet, the second only
to/from your intranet?  In other words there is NO route from the public
Internet to the intranet interface card on your server. That _must_  be in place
for the following to be secure...

You can configure a single Jetty instance to have two Server instances - see the
Jetty Tutorial for details.

Give each Server its own SocketListener, each specifying its host address e.g.
the Public server has the following added to its SocketListener set-up:
    <Set name='Host'>publicAddress</Set>

and the Internal server's listener has
    <Set name='Host'>intranetAddress</Set>


The above will be enough to separate the two sets of traffic. Next you will add
contexts to each of the two servers to determine what each can see.

Give the public / DMZ Server just the public context, and set it up a virtual
host with your public host name.

The Internal server is given the private, internal context.


If your internal DNS / routing support it, you could also now set up a second
context on the Internal server which has the same virtual host name as the
public service. Its content could be the same as is seen by the public, or there
could be different content.
The public can't see it, because their requests can't get to the Internal server
because it does not have a SocketListener listening to the public interface
address.


HTH

Chris

----- Original Message -----
From: "Jørund Skriubakken" <j.v...@mo...>
To: <jet...@li...>
Sent: Thursday, December 11, 2003 12:22 PM
Subject: [Jetty-support] Is Jetty able to specify allowed virtual hosts for a
ip-adress?


Hi all!

I am running a JBoss webapp under Jetty. The webapp is serving both our
Internet-pages and our intranet-pages. The server machine is setup with two
interfaces one for the internal network and the other for the dmz-zone/Internet.
I want to prevent the possibility to reach our intranet-pages from outside
(through the external interface/public IP address). That is possible if a person
know the intranett-virtual hostname and just adds a entry for that hostname in
his/her hosts file. One possbile solution to solve this would to define a rule
in Jetty so that Jetty only answered requests on a specific IP address if it has
the correct hostname.

Is it possible in Jetty?

Regards,

Jørund





-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick
_______________________________________________
Jetty-support mailing list
Jet...@li...
https://lists.sourceforge.net/lists/listinfo/jetty-support