Available from
9.2.29.
To protect your environment from the host header injection, define
the list of hostnames or IP addresses that are allowed in the Host or X-Forwarded-Host
header.
Procedure
- Define the list of hostnames or IP addresses that are allowed in Host or X-Forwarded-Host
header.
- Open the lmt_settings.yml file. By default, the file is in the
following location.
-
/opt/ibm/LMT/wlp/usr/servers/server1/config/lmt_settings.yml
-
C:\Program Files\ibm\LMT\wlp\usr\servers\server1\config\lmt_settings.yml
- In the allowed_hosts parameter, provide the list of hostnames or
IP addresses separated with a comma. Provide the hostname or IP address that is used to access the
License Metric Tool user interface and hostnames or IP
addresses of all proxy servers that are used.
- Enable filtering hostnames and IP addresses.
- Open the jvm.options file. By default, the file is in the
following location.
-
/opt/ibm/LMT/wlp/usr/servers/server1/jvm.options
-
C:\Program Files\ibm\LMT\wlp\usr\servers\server1\jvm.options
- Uncomment the following line:
-DFILTER_ALLOWED_HOSTS=true
.
- For the changes to take effect, restart the License Metric Tool server.
- Stop the server.
- Start the server.
Results
If a request that uses a hostname or IP address that is not listed is detected, the request is
redirected to the first hostname that is listed as allowed.