The 'Host' field contained in Http header is invalid

ZioMario

ZioMario

Hello,

I tried to configure a DDNS with DynDNS.it on my router "Sercomm VD625 (AGCOMBO)" and with every browser I use I always get the same error "The 'Host' field contained in Http header is invalid" ; I have installed and configured "Apache, PHP, and MySQL" on FreeBSD 13 following this tutorial :


https://linuxhint.com/install-apache-php-mysql-on-freebsd/


to be sure that the problem wasn't caused by DDNS,I tried to write on the browser my public IP,but I've got the same error. The odd thing is that I'm forced to specify the HTTPS protocol on the address bar. If I don't use it,it adds it. Otherwise the connection is refused.

The domain is linked to the public IP correctly and the error happens when I use the domain name and / or the public IP. The DDNS is well configured,because inside the proper router section I can read "updated successfully".


When I open the website "http://192.168.1.6/" on my browser, (it's the IP number assigned to FreeBSD), I see the message "It works" ,but when I open the web "ziomario.ns0.it" I see the error "The 'Host' field contained in Http header is invalid" so I think that this error is not caused by some wrong setting correlated with the installation of "Apache, PHP, and MySQL" but maybe it is caused by some different web component that I don't know. Can someone give me some suggestion about what could be wrong ? thanks.
 
ziomario said:
but when I open the web "ziomario.ns0.it" I see the error "The 'Host' field contained in Http header is invalid"
Click to expand...
You're trying to access your internal website using the external address. It depends a bit on your router and its capabilities if it's going to like that, it has to do a so-called hairpin. In other words from inside your local network you connect to the external address, the modem/router then has to redirect that traffic back inside to the 192.168.1.6 address.
 
SirDice said:
You're trying to access your internal website using the external address. It depends a bit on your router and its capabilities if it's going to like that, it has to do a so-called hairpin. In other words from inside your local network you connect to the external address, the modem/router then has to redirect that traffic back inside to the 192.168.1.6 address.
Click to expand...

Is there something that I can do to resolve this issue ? To be honest I seen this situation only few times. Usually I can surf my internal web address using the external IP. I'm almost sure that this function is supported by the router...
 
In any IP stack, all IP addresses on a host are accessible from any NIC on that host. Hence an internal client opening a connection to the external IP address of your firewall (to access an Internet accessible service) will reach that IP address via the internal NIC. This is really confusing, because you usually expect connections to the external IP to arrive via the external NIC.

Serverfault has a good discussion on the issue.

In essence, your solutions are to:
  • ignore it (make internal clients use the internal IP address);
  • use a split DNS (so internal clients use an internal IP address for your web site, and external clients use the external IP address); or
  • configure your firewall to support hairpin NAT (so that connections to your external IP address from inside your network have NAT applied so that response packets are returned correctly).
 
I never configured something like that. So,why usually I don't need it and only sometimes I needed it ? So,If I've understood well,you can open my domain name,ziomario.ns0.it,right ? my website is accessible from outside my LAN,right ? if yes,what are you seeing now ?
 
You always need either split DNS or hairpin NAT to access services on your external IP from inside your private network.

Right now, there is nothing listening on port 443, and I'm getting a "connection refused" on port 80:
Code: 
The following error was encountered while trying to retrieve the URL: http://ziomario.ns0.it/
Connection to 79.53.69.193 failed.
The system returned: (61) Connection refused
The remote host or network may be down. Please try the request again.
 
The HTTP connection http://ziomario.ns0.it (79.53.69.193:80) is now working on the Internet.

Have you acquired and installed the SSL certificate required to facilitate the encryption required for the HTTPS protocol?

If not, I suggest you solve the original issue (internal access to the external IP address) and the CGI problem (4 above) first. The logs should tell you something about what happened with "test.php".

Item 3 above makes little sense. HTTPS is, by convention, on port 443.

To find out what's listening on your web server use the lsof(8) command, e.g. lsof -i tcp:80.
 
I've "followed" the Felix tutorial that I found here :


https://forums.freebsd.org/threads/creating-a-ssl-certificate.1222/


adapting it to my situation as follows :


Edited /usr/local/etc/apache24/httpd.conf file:

# Uncommented:
Code: 
Include etc/apache24/extra/httpd-ssl.conf


Edited /usr/local/etc/apache24/extra/httpd-ssl.conf:

# Uncommented and changed with my domain name:
Code: 
ServerName ziomario.ns0.it:443


# Uncommented and changed with my email address:
Code: 
ServerAdmin marietto2008@gmail.com

I ran:

Code: 
cd /usr/local/etc/apache24
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
chmod 0400 /usr/local/etc/apache24/server.key
chmod 0400 /usr/local/etc/apache24/server.crt

cd /usr/local/etc/apache24
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key


In the httpd.conf, needed to turn on mod_ssl.so:

Code: 
LoadModule ssl_module modules/mod_ssl.so


turned on mod_socache_shmcb.so:

Code: 
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so


otherwise the error "Can't start Apache: Invalid command 'SSLCipherSuite' will come up.

Restarted Apache with :
Code: 
sudo service apache24 restart


but Firefox gives the error below :


Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to ziomario.ns0.it. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Learn more…

ziomario.ns0.it uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
 
ziomario said:
If I use https,should be secure. Right ?
Click to expand...
Sure, you can accept the self-signed certificate, but someone else might not trust that. You should look into using a Let's encrypt certificate, that will get you a trusted SSL certificate for free. It's a trusted certificate authority, only thing is that the certificate is only valid for three months. But various tools exist to requests and automatically refresh that.

security/py-certbot # easiest to use, does have a lot of python dependencies
security/acme.sh # No dependencies but requires some additional scripting to make it work.
 
ziomario said:
it says that the connection is not secure
Click to expand...
This message is misleading. It IS secure but it is not trusted.

You have 3 possibilities here:
1 - Keep your self-signed certificate and make your users accept it
2 - Take a lot of money and buy a trusted one
3 - Do what SirDice said and use the Lets encrypt certificates.
 
Anyway,when I've opened ports 80 and 443 on my router,the error "The 'Host' field contained in Http header is invalid" is gone.
 
eternal_noob said:
This message is misleading. It IS secure but it is not trusted.

You have 3 possibilities here:
1 - Keep your self-signed certificate and make your users accept it
2 - Take a lot of money and buy a trusted one
3 - Do what SirDice said and use the Lets encrypt certificates.
Click to expand...
For sure I will grab the n. 2 :D
 
SSL certificates from Verisign and others aren't that expensive. More expensive than free that's for sure. For mom&pop websites and my own cruft a Let's Encrypt certificate works just fine. It takes some setting up, had some issues with the deployment script at first but once I worked out the kinks it's been rather uneventful.
 
After having got certificates in the past from issuing bodies that ask loads of questions and do not realise why they might not even be trustworthy, now I only use Lets Encrypt. Use them for my websites and my client's websites. Not difficult. All the instructions are on the Lets Encrypt website.
 
ziomario said:
I suspect that something is still broken.
Click to expand...
Look in /var/log/httpd-error.log for example. Make sure php_fpm is actually running and you've added the correct settings in that /usr/local/etc/apache24/modules.d/001_mod-php.conf file (the example appears to have everything remarked, make sure you didn't copy/paste the # into it too).
 
SirDice said:
Look in /var/log/httpd-error.log for example. Make sure php_fpm is actually running and you've added the correct settings in that /usr/local/etc/apache24/modules.d/001_mod-php.conf file (the example appears to have everything remarked, make sure you didn't copy/paste the # into it too).
Click to expand...

bingo. I know that # means comment and it ignores,but anyway,I've been inattentive. it works. thanks. you are a precious resource for everyone.
 
You must log in or register to reply here.
Back
Top