Server

Allowed Hosts Configuration

Updated: December 19, 2024

Nuxeo allows you to filter HTTP requests by their standard host, x-forwarded-host and specific nuxeo-virtual-host headers values against a whitelist. Unknown values will lead the HTTP request to be rejected with an SC_BAD_REQUEST status code.

Expected behavior:

Multiple headers filtering
All present headers are always filtered. A mix of allowed and forbidden hosts in the different headers will be rejected. Which means, you don't need to fill all headers, only the filled ones must all be valid.

host x-forwarded-host nuxeo-virtual-host result
OK OK null OK
OK KO null KO
OK OK OK OK
OK OK KO KO

Sample configuration:

To setup the whitelist, override the nuxeo.allowed.hosts configuration property:

# this will always be included, even if not in the allowed list
nuxeo.url=http://localhost:8080/nuxeo
...
# default, allows everything
nuxeo.allowed.hotst=
# allows localhost only
nuxeo.allowed.hotst=localhost
# only allows localhost, myhost.org and also.myhost.org
nuxeo.allowed.hotst=myhost.org,also.myhost.org