Section - Virtual Host
Field name | Description |
---|---|
Name | Each virtual host has a unique name. |
Tenant | The tenant of this virtual host. See also Multitenancy feature. |
Show maintenance page | Specifies whether Airlock Gateway should display a maintenance page instead of performing the request to the back-end server. Using this flag it is possible to temporarily disable access to a virtual host without having to delete the virtual host or to unconnect all mappings. If the flag is set, Airlock Gateway will redirect requests to the maintenance error page (see error page configuration). |
Host name (FQDN) | This is the fully qualified server name under which the external web listener will be made visible to the outside. |
Strictly match FQDN and aliases | Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names. Otherwise, a different virtual host will answer the request. If all virtual hosts on a given IP:port combination have this setting enabled, then non-matching HTTP requests are answered with Clients that do not support Server Name Indication (SNI) cannot access virtual hosts that have this setting enabled. The default virtual host ("catch-all virtual host") for an IP: port combination is chosen arbitrarily among the virtual hosts that have this setting disabled. |
External network interface | Specifies the external network interface for this virtual host to receive requests. |
IPv4 address (CIDR) | Specifies the IP addresses to be assigned to the external (untrusted) network interface for this virtual host. IPv4 and IPv6 can be assigned in parallel to a single virtual host. Instead of assigning IP addresses manually, the DHCP service can be activated. |
IPv6 address (CIDR) | |
Default redirect | Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path (e.g. https://www.example.com/). This redirect URL has to be one that is valid from the external network because the user's browser will get back to Airlock Gateway with it. The status code of this redirect is Example: /public/index.html |
Security relevant settings
The basic settings contain rudimentary virtual host settings like IP, hostname, and so on, which are minimally needed to run a virtual host.
- A nonambiguous Virtual Host configuration is required for security reasons. Configuration options are:
- explicit server alias names and multi-domain certificates
- wildcard certificates and wildcard DNS records without server alias names
The HTTP header Host
of a request is basically untrusted and can be manipulated. The option Strictly match FQDN and aliases on the virtual host is important in this context because it forces the client to send an HTTP header Host
which is defined on the virtual host as FQDN or as a server alias name.
Use Strictly match FQDN and aliases option whenever possible.
If strictness is not possible, e.g. for pure wildcard name setup (wildcard DNS records, wildcard TLS certificate), note that attackers can use this virtual host to access all back-end groups connected via this virtual host.
An example of heterogeneous security settings is client certificate authentication:
If Strictly match FQDN and aliases are not configured, an attacker with a forged hostname can access the back-end via an unprotected virtual host, which should only be reached via the virtual host with client certificate authentication.