Enabling virtual hosts for agent traffic

The Cloud APM server's monitoring infrastructure node (min) process is susceptible to the External service interaction (DNS) vulnerability for agent traffic. An artificially modified HTTP HOST header value might cause the Cloud APM server to query its DNS to resolve the address of the HOST value passed. This is because the server supports agent traffic on all network interfaces by default. You can mitigate this vulnerability by defining the host names and ports for agent traffic.


Complete these steps to add virtual host alias definitions to the user-exit.xml file:

  1. Open the install_dir/wlp/usr/servers/min/user-exit.xml file in a text editor.
  2. Add a <hostAlias> element for each Cloud APM server fully qualified host name or IP address and port combination that agents can connect to:
    <virtualHost id="default_host">
    where apm-server-host-ip is the host name or IP address that your agents are configured to connect to. (The agents connect using the host name or IP address that you specified during the Cloud APM server installation or when you ran the install_dir/ccm/make_configuration_packages.sh script.)

    Also check the Host Name Override configuration setting ( System Configuration > Advanced Configuration > Agent Central Configuration). Create additional <hostAlias> lines for port 80 and port 443 for the host name override value if it is different from the value that was specified when the agent packages were configured.

    This example shows the virtual host alias definitions when the agents were configured to connect to the Cloud APM server with the my_server.ibm.com host name:

    <virtualHost id="default_host" >
  3. After you save use-exit.xml, restart the min component of theCloud APM server:
    apm restart min


The defined virtual hosts are now enabled. From now on, if a monitoring agent sends a HOST header value that is not defined by a <hostAlias> entry, the Cloud APM server returns an HTTP 404 error.