Restrict HTTP hosts

Overview

It is possible to configure a Netprobe to only accept HTTP connections from a nominated ’trusted’ list of HTTP hosts.

Trusted HTTP hosts

You can nominate a list of trusted HTTP hosts by setting the TRUSTED_HTTP_HOSTS variable, either in the Windows registry, or as an environment variable on Linux and other platforms. The variable should be set to the names of the trusted hosts, separated by commas. For more information, see Setting Variables for Netprobe on Windows Platforms in variables.

The TRUSTED_HTTP_HOSTS variable is a comma-separated list containing one or more trusted hostnames or IP addresses of the HTTP hosts. If set, the Netprobe will accept connection from any of these hosts.

By default, this variable is set to +, which means that all connections are accepted.

If a connection fails to match, then a warning message is logged on the Netprobe, all connected Gateways, and Active Console Event Tickers.

For security, you can only set this variable in the start-up environment on the machine running the Netprobe. You cannot configure them as part of the Netprobe on the Gateway.

If you have set TRUSTED_HTTP_HOSTS, the Netprobe checks any connections against the list of hostnames and IP addresses. If an explicit IP address fails to match, then the Netprobe will try a reverse DNS lookup by checking if any hosts in the list match. If the previous check still fails, then the Netprobe will check each host in the list and check the first returned IP address.

Note:  On IBM AIX, there is a known limitation that only IP addresses are checked, and no hostnames are resolved.

Trusted debug hosts

You can nominate a list of HTTP hosts for debugging purposes. This is done by setting the TRUSTED_DEBUG_HOSTS variable, either in the Windows registry, or as an environment variable on Linux and other platforms. The variable should be set to the names of the trusted hosts, separated by commas. For more information, see Setting Variables for Netprobe on Windows Platforms in variables.

The TRUSTED_DEBUG_HOSTS variable is a comma-separated list containing one or more trusted hostnames or IP addresses of the debug hosts. If set, the Netprobe will accept connection from any of these debug hosts.

By default, the trusted debug host is 127.0.0.1. If this variable is set to +, then any HTTP host is trusted.

If a connection fails to match, then a warning message is logged on the Netprobe. For example,

WARN: ORB Non-trusted host itrslp003 rejected. Trusting only (127.0.0.1) for HTTP Debug components.

For security, you can only set this variable in the start-up environment on the machine running the Netprobe. You cannot configure them as part of the Netprobe on the Gateway.

If you have set TRUSTED_DEBUG_HOSTS, the Netprobe checks any connections against the list of hostnames and IP addresses. If an explicit IP address fails to match, then the Netprobe will try a reverse DNS lookup by checking if any hosts in the list match. If the previous check still fails, then the Netprobe will check each host in the list and check the first returned IP address.

Note:  On IBM AIX, there is a known limitation that only IP addresses are checked, and no hostnames are resolved.

["Geneos"] ["User Guide"]

Was this topic helpful?