Configuring host validation

With host validation enabled, all machines making inbound connections must have whitelisted Host headers, and whitelisted X-Forwarded-Host headers if applicable. You can add a host to the trusted whitelist by making an entry in the Hosts attribute in your environment file. Each entry must have a unique name, and a properly formed URL. Ensure the trusted property for each entry is set to true.

   <Hosts>
      <Host name="external" trusted="true" url="https://nexj.com:8443"/>
   </Hosts>

You must specify the exact URLs of all possible servers that should be included in the validation, otherwise safe expected inbound connections might be prevented.

For example, if you expect https://www.nexj.com and https://nexj.com, then both URLs must be included. If you if you expect both https://nexj.com and https://nexj.com:443, which is the default port for HTTPS, then that URL must be included as well. If a server has three nodes and uses the push redirector, then you will need to add four entries: https://nexj.com:8443, https://nexj.com:7443, https://nexj.com:6443, and https://nexj.com:5443.

Enabling host validation

This feature is disabled by default. To enable this feature, you need to enable the validateHostHeader setting. Add the validateHostHeaders property in the environment file and set it to true. Alternately, you can include the -Dnexj.validateHostHeaders=true JVM property in the jvm. conf file or in the command line.

Debugging host validation

You can enable logging of rejected hosts by enabling the following logger:

-Dlog4j.logger.HostHeaderValidationFilter.name=nexj.core.rpc.http.HostHeaderValidationFilter
-Dlog4j.logger.HostHeaderValidationFilter.level=DEBUG