Enabling virtual hosts for agent traffic
The Cloud APM server's monitoring infrastructure node (min) process is susceptible to the External service interaction (DNS) vulnerability for agent traffic. An artificially modified HTTP HOST header value might cause the Cloud APM server to query its DNS to resolve the address of the HOST value passed. This is because the server supports agent traffic on all network interfaces by default. You can mitigate this vulnerability by defining the host names and ports for agent traffic.
Procedure
Complete these steps to add virtual host alias definitions to the user-exit.xml file:
-
Add a
<hostAlias>element for each Cloud APM server fully qualified host name or IP address and port combination that agents can connect to:
where apm-server-host-ip is the host name or IP address that your agents are configured to connect to. (The agents connect using the host name or IP address that you specified during the Cloud APM server installation or when you ran the install_dir/ccm/make_configuration_packages.sh script.)<virtualHost id="default_host"> <hostAlias>apm-server-host-ip:80</hostAlias> <hostAlias>apm-server-host-ip:443</hostAlias> <hostAlias>localhost:80</hostAlias> <hostAlias>localhost:443</hostAlias> </virtualHost>Also check the Host Name Override configuration setting (
). Create additional
<hostAlias>lines for port 80 and port 443 for the host name override value if it is different from the value that was specified when the agent packages were configured.This example shows the virtual host alias definitions when the agents were configured to connect to the Cloud APM server with the my_server.ibm.com host name:
<virtualHost id="default_host" > <hostAlias>my_server.ibm.com:80</hostAlias> <hostAlias>my_server.ibm.com:443</hostAlias> <hostAlias>localhost:80</hostAlias> <hostAlias>localhost:443</hostAlias> </virtualHost>
Results
<hostAlias> entry, the Cloud
APM server returns an HTTP 404
error.