Turning off the host header injection check

By default, IBM Cloud Pak® for Data rejects requests that contain invalid external routes to prevent host header injection attacks. However, if you use a load balancer and reverse proxy servers to manage host headers before requests are forwarded to Cloud Pak for Data, you must turn off the host header injection check to enable Cloud Pak for Data to accept incoming requests.

Who needs to complete this task?
To complete this task, you must be either:
  • A cluster administrator
  • An administrator of the project where Cloud Pak for Data is installed
When do you need to complete this task?
Complete this task only if your cluster uses a load balancer and reverse proxy servers to manage host headers.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

Procedure

  1. Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task:
    oc login ${OCP_URL}
  2. Run the following command to turn off the host header injection check:
    oc patch configmap product-configmap \
    --namespace ${PROJECT_CPD_INSTANCE} \
    --type=merge \
    --patch '{"data": {"HOST_INJECTION_CHECK_ENABLED":"false"}}'
  3. Restart the ibm-nginix deployments:
    oc rollout restart deployment/ibm-nginx \
    --namespace ${PROJECT_CPD_INSTANCE}

Results

The host header injection check is turned off.
Tip: If you need to turn the host header injection check on, you can re-run the preceding commands with "HOST_INJECTION_CHECK_ENABLED":"true".