Tab – Basic

Section - Virtual Host

VH_basic_section Virtual Host
Field name
Description
Name
Each virtual host has a unique name.
Tenant
The tenant of this virtual host. See also Multitenancy feature.
Show maintenance page
Specifies whether Airlock Gateway should display a maintenance page instead of performing the request to the back-end server. Using this flag it is possible to temporarily disable access to a virtual host without having to delete the virtual host or to unconnect all mappings. If the flag is set, Airlock Gateway will redirect requests to the maintenance error page (see error page configuration).
Host name (FQDN)
This is the fully qualified server name under which the external web listener will be made visible to the outside.
Example: www.example.com
Strictly match FQDN and aliases
Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names. Otherwise, a different virtual host will answer the request. If all virtual hosts on a given IP:port combination have this setting enabled, then non-matching HTTP requests are answered with 403 Forbidden, and non-matching HTTPS requests are denied by aborting the SSL handshake.
Clients that do not support Server Name Indication (SNI) cannot access virtual hosts that have this setting enabled.
The default virtual host ("catch-all virtual host") for an IP: port combination is chosen arbitrarily among the virtual hosts that have this setting disabled.
External network interface
Specifies the external network interface for this virtual host to receive requests.
IPv4 address (CIDR)
Specifies the IP addresses to be assigned to the external (untrusted) network interface for this virtual host. IPv4 and IPv6 can be assigned in parallel to a single virtual host.

Instead of assigning IP addresses manually, the DHCP service can be activated.

IPv6 address (CIDR)
Default redirect
Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path (e.g. https://www.example.com/). This redirect URL has to be one that is valid from the external network because the user's browser will get back to Airlock Gateway with it. The status code of this redirect is 303 See Other.
Example: /public/index.html

Security relevant settings

The basic settings contain rudimentary virtual host settings like IP, hostname, and so on, which are minimally needed to run a virtual host.

  • A nonambiguous Virtual Host configuration is required for security reasons. Configuration options are:
  • a)
    explicit server alias names and multi-domain certificates
  • b)
    wildcard certificates and wildcard DNS records without server alias names

The HTTP header Host of a request is basically untrusted and can be manipulated. The option Strictly match FQDN and aliases on the virtual host is important in this context because it forces the client to send an HTTP header Host which is defined on the virtual host as FQDN or as a server alias name.

Use Strictly match FQDN and aliases option whenever possible.

If strictness is not possible, e.g. for pure wildcard name setup (wildcard DNS records, wildcard TLS certificate), note that attackers can use this virtual host to access all back-end groups connected via this virtual host.

An example of heterogeneous security settings is client certificate authentication:
If Strictly match FQDN and aliases are not configured, an attacker with a forged hostname can access the back-end via an unprotected virtual host, which should only be reached via the virtual host with client certificate authentication.

Section - HTTP

VH_basic_section HTTP

HTTP listener and HTTP port

Specifies whether HTTP connections are enabled for this host and on which port.

Redirect to HTTPS

Redirects all HTTP traffic to HTTPS on this virtual host. The status code of the redirect is 301 Moved Permanently. Note that both protocols must be enabled for this feature to work.

Section - HTTPS

VH_basic_section HTTPS

HTTPS listener (SSL/TLS) and HTTPS (SSL/TLS) port

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host and on which port.

Enable HTTP/2

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.