Nuxeo allows you to filter HTTP requests by their standard host, x-forwarded-host and specific nuxeo-virtual-host headers values against a whitelist. Unknown values will lead the HTTP request to be rejected with an SC_BAD_REQUEST status code.
Expected behavior:
Multiple headers filtering
All present headers are always filtered. A mix of allowed and forbidden hosts in the different headers will be rejected.
Which means, you don't need to fill all headers, only the filled ones must all be valid.
| host | x-forwarded-host | nuxeo-virtual-host | result |
|---|---|---|---|
| OK | OK | null | OK |
| OK | KO | null | KO |
| OK | OK | OK | OK |
| OK | OK | KO | KO |
Sample configuration:
To setup the whitelist, override the nuxeo.allowed.hosts configuration property:
# this will always be included, even if not in the allowed list
nuxeo.url=http://localhost:8080/nuxeo
...
# default, allows everything
nuxeo.allowed.hosts=
# allows localhost only
nuxeo.allowed.hosts=localhost
# only allows localhost, myhost.org and also.myhost.org
nuxeo.allowed.hosts=myhost.org,also.myhost.org