Read more

Make an HTTP request to a machine but fake the hostname

Arne Hartherz
September 15, 2011Software engineer at makandra GmbH

Consider you have a website vhost listening to www.example.com, redirecting all incoming requests that do not talk about the configured hostname (this is often used to redirect users to http://www.example.com when entering only http://example.com/).

Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

If you want to make a request to that site's web server without actually talking to www.example.com (e.g. because this is a load balancer's address but you want to access one specific machine), you cannot just request machine1.example.com or localhost as the above vhost will redirect your request.

When talking HTTP 1.1, your client (browser) uses the HTTP header "Host" to tell the web server what host it's requesting for. This is what we want to change in order to properly "fake" the request. You can do it in different ways, here are two:

Using cURL

Since version 7.21.3 Show archive.org snapshot cURL allows specifying an IP address, thus forging the hostname for the request.

$ curl --resolve www.example.com:80:127.0.0.1 http://www.example.com/

The --resolve switch allows you to tell curl which address to request when it would resolve a given hostname. In the above snippet cURL uses 127.0.0.1 (localhost) instead of resolving www.example.com via DNS.

Telnet (aka classic mode)

You can use telnet to speak HTTP, e.g. if your cURL is below 7.21.3:

$ telnet 127.0.0.1 80
GET / HTTP/1.1
Host: www.example.com
<Return>
<Return>

Here you make an HTTP 1.1 request manually. The Host header tells the server that this request is for www.example.com. Terminate your request headers by 2 linebreaks.

Posted by Arne Hartherz to makandra dev (2011-09-15 16:06)