Skip to end of metadata
Go to start of metadata

Affected to:

All versions of Cryptshare Server

Symptom:

When requesting a page from a Cryptshare Server, the internal IP address of the server is revealed:

nc my.cryptshare.server 80
GET / HTTP/1.0

HTTP/1.1 302 Found
Date: Fri, 12 Jun 2015 07:43:06 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: http://10.0.1.1/Start
Content-Length: 0

Cause:

HTTP 1.0 does not support the host-header and the Jetty Server therefore uses the server IP address instead.


Solution:

For each Jetty configuration file (User,- and Administration Interface) an additional customizer must be added for both Http-Configurations (http,https).

  1. open the Jetty XML configuration file for which the configuration shall be made
    1. user Interface: 'resources/WEB-INF/ui-config.xml'
    2. administration Interface: 'resources/WEB-INF/ai-config.xml
  2. introduce a 'New'-Tag for a HostHeaderCustomizer
  3. add a 'Call'-Tag for the new customizer for httpConfig-section
  4. add a 'Call'-Tag for the new customizer for tlsHttpConfig-section
  5. save changes
  6. restart Cryptshare Server


Please edit your config files accordingly
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New class="org.eclipse.jetty.server.HostHeaderCustomizer" id="hostHeaderCustomizer">
        <Arg>myServerName</Arg>
    </New>
    [...]
     <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        [...]
        <Call name="addCustomizer">
            <Arg>
                <Ref refid="hostHeaderCustomizer" />
            </Arg>
        </Call>
     </New>
     <New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        [...]
        <Call name="addCustomizer">
            <Arg>
                <Ref refid="hostHeaderCustomizer" />
            </Arg>
        </Call>
     </New>
     [...]
</Configure>
Example config-files

This are example config files to be checked if they fit to your environment (Passwords, Cipher Suites, Ports, Names...).

Please remember to change YourServerName to the Name of your Server.

ai-config.xml with deactivated HTTP1.0
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New class="org.eclipse.jetty.server.HostHeaderCustomizer" id="hostHeaderCustomizer">
		<Arg>YourServerName</Arg>
	</New>
	<New id="sslContextFactory" class="com.befinesolutions.cryptshare.server.CSSSLContextFactory">
		<Set name="KeyStorePath">lib/security/keystore</Set>
		<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
		<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
		<Set name="TrustStorePath">
			<SystemProperty name="java.home" default="."/>/lib/security/cacerts
		</Set>
		<Set name="TrustStorePassword">changeit</Set>
		<Set name="protocol">TLSv1.2</Set>
		<Set name="renegotiationAllowed">false</Set>
        <Set name="includeProtocols">
            <Array type="java.lang.String">
                <Item>TLSv1.2</Item>
            </Array>
        </Set>
        <Set name="excludeProtocols">
            <Array type="java.lang.String">
                <Item>SSLv3</Item>
                <Item>SSLv2Hello</Item>
                <Item>TLSv1</Item>
                <Item>TLSv1.1</Item>
            </Array>
        </Set>
        <Set name="includeCipherSuites">
            <Array type="java.lang.String">
                <Item>TLS_ECDHE.*</Item>
            </Array>
        </Set>
        <Set name="excludeCipherSuites">
            <Array type="java.lang.String">
                <Item>.*NULL.*</Item>
                <Item>.*RC4.*</Item>
                <Item>.*MD5.*</Item>
                <Item>.*DES.*</Item>
                <Item>.*DSS.*</Item>
                <Item>TLS_RSA.*</Item>
				<Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
				<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
				<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
				<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
            </Array>
        </Set>
	</New>
	<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
		<Set name="secureScheme">https</Set>
		<Set name="securePort">
			<SystemProperty name="cryptshare.ai.https.port" default="8080"/>
		</Set>
		<Set name="outputBufferSize">32768</Set>
		<Set name="requestHeaderSize">8192</Set>
		<Set name="responseHeaderSize">8192</Set>
		<Set name="sendServerVersion">
			<Property name="jetty.send.server.version" default="true"/>
		</Set>
		<Call name="addCustomizer">
			<Arg>
				<Ref refid="hostHeaderCustomizer" />
			</Arg>
		</Call>
	</New>
	<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
		<Arg>
			<Ref refid="httpConfig"/>
		</Arg>
		<Call name="addCustomizer">
			<Arg>
				<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>
			</Arg>
		</Call>
		<Call name="addCustomizer">
			<Arg>
				<Ref refid="hostHeaderCustomizer" />
			</Arg>
		</Call>
	</New>
	<Call name="addConnector">
		<Arg>
			<New class="org.eclipse.jetty.server.ServerConnector">
				<Arg name="server">
					<Ref refid="Cryptshare"/>
				</Arg>
				<Arg name="factories">
					<Array type="org.eclipse.jetty.server.ConnectionFactory">
						<Item>
							<New class="org.eclipse.jetty.server.HttpConnectionFactory">
								<Arg name="config">
									<Ref refid="httpConfig"/>
								</Arg>
							</New>
						</Item>
					</Array>
				</Arg>
				<Set name="host">
					<Property name="jetty.host"/>
				</Set>
				<Set name="port">
					<SystemProperty name="cryptshare.ai.http.port" default="9090"/>
				</Set>
				<Set name="idleTimeout">
					<Property name="http.timeout" default="10000"/>
				</Set>
				<Set name="soLingerTime">
					<Property name="http.soLingerTime" default="-1"/>
				</Set>
			</New>
		</Arg>
	</Call>
	<Call id="sslConnector" name="addConnector">
		<Arg>
			<New class="org.eclipse.jetty.server.ServerConnector">
				<Arg name="server">
					<Ref refid="Cryptshare"/>
				</Arg>
				<Arg name="factories">
					<Array type="org.eclipse.jetty.server.ConnectionFactory">
						<Item>
							<New class="org.eclipse.jetty.server.SslConnectionFactory">
								<Arg name="next">http/1.1</Arg>
								<Arg name="sslContextFactory">
									<Ref refid="sslContextFactory"/>
								</Arg>
							</New>
						</Item>
						<Item>
							<New class="org.eclipse.jetty.server.HttpConnectionFactory">
								<Arg name="config">
									<Ref refid="tlsHttpConfig"/>
								</Arg>
							</New>
						</Item>
					</Array>
				</Arg>
				<Set name="host">
					<Property name="jetty.host"/>
				</Set>
				<Set name="port">
					<SystemProperty name="cryptshare.ai.https.port" default="8080"/>
				</Set>
				<Set name="idleTimeout">
					<Property name="http.timeout" default="10000"/>
				</Set>
				<Set name="soLingerTime">
					<Property name="http.soLingerTime" default="-1"/>
				</Set>
			</New>
		</Arg>
	</Call>
</Configure>
ui-config.xml with deactivated HTTP1.0
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New class="org.eclipse.jetty.server.HostHeaderCustomizer" id="hostHeaderCustomizer">
		<Arg>YourServerName</Arg>
	</New>
	<Arg name="threadpool">
		<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
			<Arg name="minThreads" type="int">5</Arg>
			<Arg name="maxThreads" type="int">25</Arg>
			<Arg name="idleTimeout" type="int">1000</Arg>
			<Arg name="queue">
				<New class="java.util.concurrent.ArrayBlockingQueue">
					<Arg type="int">200</Arg>
				</New>
			</Arg>
		</New>
	</Arg>
	<New id="sslContextFactory" class="com.befinesolutions.cryptshare.server.CSSSLContextFactory">
		<Set name="KeyStorePath">lib/security/keystore</Set>
		<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
		<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
		<Set name="TrustStorePath">
			<SystemProperty name="java.home" default="."/>/lib/security/cacerts
		</Set>
		<Set name="TrustStorePassword">changeit</Set>
		<Set name="protocol">TLSv1.2</Set>
		<Set name="renegotiationAllowed">false</Set>
        <Set name="includeProtocols">
            <Array type="java.lang.String">
                <Item>TLSv1.2</Item>
            </Array>
        </Set>
        <Set name="excludeProtocols">
            <Array type="java.lang.String">
                <Item>SSLv3</Item>
                <Item>SSLv2Hello</Item>
                <Item>TLSv1</Item>
                <Item>TLSv1.1</Item>
            </Array>
        </Set>
        <Set name="includeCipherSuites">
            <Array type="java.lang.String">
                <Item>TLS_ECDHE.*</Item>
            </Array>
        </Set>
        <Set name="excludeCipherSuites">
            <Array type="java.lang.String">
                <Item>.*NULL.*</Item>
                <Item>.*RC4.*</Item>
                <Item>.*MD5.*</Item>
                <Item>.*DES.*</Item>
                <Item>.*DSS.*</Item>
                <Item>TLS_RSA.*</Item>
				<Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
				<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
				<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
				<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
            </Array>
        </Set>
	</New>
	<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
		<Set name="secureScheme">https</Set>
		<Set name="securePort">
			<SystemProperty name="cryptshare.ui.https.port" default="443"/>
		</Set>
		<Set name="outputBufferSize">32768</Set>
		<Set name="requestHeaderSize">8192</Set>
		<Set name="responseHeaderSize">8192</Set>
		<Set name="sendServerVersion">
			<Property name="jetty.send.server.version" default="true"/>
		</Set>
		<Call name="addCustomizer">
			<Arg>
				<Ref refid="hostHeaderCustomizer" />
			</Arg>
		</Call>
	</New>
	<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
		<Arg>
			<Ref refid="httpConfig"/>
		</Arg>
		<Call name="addCustomizer">
			<Arg>
				<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>
			</Arg>
		</Call>
		<Call name="addCustomizer">
			<Arg>
				<Ref refid="hostHeaderCustomizer" />
			</Arg>
		</Call>
	</New>
	<Call name="addConnector">
		<Arg>
			<New class="org.eclipse.jetty.server.ServerConnector">
				<Arg name="server">
					<Ref refid="Cryptshare"/>
				</Arg>
				<Arg name="factories">
					<Array type="org.eclipse.jetty.server.ConnectionFactory">
						<Item>
							<New class="org.eclipse.jetty.server.HttpConnectionFactory">
								<Arg name="config">
									<Ref refid="httpConfig"/>
								</Arg>
							</New>
						</Item>
					</Array>
				</Arg>
				<Set name="host">
					<Property name="jetty.host"/>
				</Set>
				<Set name="port">
					<SystemProperty name="cryptshare.ui.http.port" default="80"/>
				</Set>
				<Set name="idleTimeout">
					<Property name="http.timeout" default="15000"/>
				</Set>
				<Set name="soLingerTime">
					<Property name="http.soLingerTime" default="-1"/>
				</Set>
			</New>
		</Arg>
	</Call>
	<Call id="sslConnector" name="addConnector">
		<Arg>
			<New class="org.eclipse.jetty.server.ServerConnector">
				<Arg name="server">
					<Ref refid="Cryptshare"/>
				</Arg>
				<Arg name="factories">
					<Array type="org.eclipse.jetty.server.ConnectionFactory">
						<Item>
							<New class="org.eclipse.jetty.server.SslConnectionFactory">
								<Arg name="next">http/1.1</Arg>
								<Arg name="sslContextFactory">
									<Ref refid="sslContextFactory"/>
								</Arg>
							</New>
						</Item>
						<Item>
							<New class="org.eclipse.jetty.server.HttpConnectionFactory">
								<Arg name="config">
									<Ref refid="tlsHttpConfig"/>
								</Arg>
							</New>
						</Item>
					</Array>
				</Arg>
				<Set name="host">
					<Property name="jetty.host"/>
				</Set>
				<Set name="port">
					<SystemProperty name="cryptshare.ui.https.port" default="443"/>
				</Set>
				<Set name="idleTimeout">
					<Property name="http.timeout" default="15000"/>
				</Set>
				<Set name="soLingerTime">
					<Property name="http.soLingerTime" default="-1"/>
				</Set>
			</New>
		</Arg>
	</Call>
</Configure>