Fix/reject invalid host headers (opf#9449)

* Add a default virtualhost to catch any requests not using the specified SERVER_NAME * Set the default to _default_ * Update documentation Co-authored-by: Oliver Günther <mail@oliverguenther.de>
ms-jagadeeshan · Jul 20, 2021 · 033eb9e · 033eb9e
1 parent 903c996
commit 033eb9e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/docker/prod/entrypoint.sh b/docker/prod/entrypoint.sh
@@ -42,6 +42,8 @@ if [ "$(id -u)" = '0' ]; then
 	chown -R $APP_USER:$APP_USER $APP_DATA_PATH
 	if [ -d /etc/apache2/sites-enabled ]; then
 		chown -R $APP_USER:$APP_USER /etc/apache2/sites-enabled
+		echo "OpenProject currently expects to be reached on the following domain: ${SERVER_NAME:=localhost}, which does not seem to be how your installation is configured." > /var/www/html/index.html
+		echo "If you are an administrator, please ensure you have correctly set the SERVER_NAME variable when launching your container." >> /var/www/html/index.html
 	fi
 
 	# Clean up any dangling PID file

diff --git a/docker/prod/proxy.conf.erb b/docker/prod/proxy.conf.erb
@@ -1,5 +1,13 @@
+<% server_name = ENV.fetch('SERVER_NAME') { "_default_" } %>
+<% unless server_name == "_default_" %>
 <VirtualHost *:80>
-  ServerName <%= ENV.fetch('SERVER_NAME') { "_default_" } %>
+  ServerName _default_
+  DocumentRoot /var/www/html
+</VirtualHost>
+<% end %>
+
+<VirtualHost *:80>
+  ServerName <%= server_name %>
   DocumentRoot <%= ENV.fetch('APP_PATH') %>/public
 
   ProxyRequests off

diff --git a/docs/installation-and-operations/installation/docker/README.md b/docs/installation-and-operations/installation/docker/README.md
@@ -119,6 +119,9 @@ docker run -d -p 8080:80 --name openproject \
   openproject/community:11
 ```
 
+Please make sure you set the correct public facing hostname in `SERVER_HOSTNAME`. If you don't have a load-balancing or proxying web server in front of your docker container,
+you will otherwise be vulnerable to [HOST header injections](https://portswigger.net/web-security/host-header), as the internal server has no way of identifying the correct host name.
+
 **Note**: Make sure to replace `secret` with a random string. One way to generate one is to run `head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo ''` if you are on Linux.
 
 **Note**: MacOS users might encounter an "Operation not permitted" error on the mounted directories. The fix for this is to create the two directories in a user-owned directory of the host machine.