Is there a way to reject any HTTP requests, without using middleware, where the host header is not set or the host header is set to an empty string, e.g.
Host: ''
When using Traefik in EKS behind an AWS ELB using an Ingress, any HTTP 1.0 requests with an intentionally null host header result in the private IP of the ELB being exposed when a redirect from HTTP to HTTPS is generated. e.g. the resulting redirect looks like:
Location: https://10.1.2.3/
This is a medium level security risk according to the HTTP vulnerability scanning tool we're using and needs to be addressed.
I found the root cause. When sending an HTTP/1.0 request to an AWS ELB with an empty host header, the ELB automatically changes the request sent to Traefik to an HTTP/1.1 request and replaces the empty host: header with the private IP of the ELB, e.g. if the ELB private IP is 10.1.2.3, then the request sent to Traefik is:
GET / HTTP/1.1
host: 10.1.2.3
Accept: /
User-Agent: curl/1.2.3
X-Forwarded-For: 44.1.2.3
X-Forwarded-Port: 80
X-Forwarded-Proto: http
1 Like
Thanks @justin-spies
I was trying to replicate myself but couldn't the ELB was the missing piece.
Great info for anybody looking into the same security finding.