Avoiding internal IP disclosure when configuring redirects in HTTP farms

View Categories

Avoiding internal IP disclosure when configuring redirects in HTTP farms

< 1 min read

Redirects #

Redirects are very useful in HTTP farms for steering the users to certain URLs in specific cases for security (redirecting from HTTP to HTTPS) or just to avoid HTTP 404 not found errors, among other situations. Applying redirects in the load balancer side, will unload the real servers from such tasks and improve network performance.

Having a wrong configuration of redirections could lead in security concerns due to internal disclosure of IP addresses.

Redirection with IP disclosure #

When Enable Redirect is set in our HTTP farm service, the field Redirect URL is shown. Entering values with IP addresses such as “https://10.10.10.5/login.html” or “https://localhost/login.html” would lead into an internal IP disclosure like it is shown below.

Avoid IP disclosure #

The proper way to configure a redirect without internal disclosure is using the full qualified domain in the Redirect URL as it is set in the Virtual Host field. Please refer to the picture below.

SHARE ON:

Powered by BetterDocs