Closed nwmcsween closed 6 years ago
if it's binding to localname.tld:port it should instead set the r.expectedHost
value to the right value instead of doing an dns lookup IMO.
this code bypasses the protections i put in place to mitigate dns-rebinding attacks.
suggested reading: https://crypto.stanford.edu/dns/dns-rebinding.pdf
Is there a safe way to resolve names (resolve only local ranges)? The current git using bind = hostname.tld:port resolves to 127.0.0.1 instead of the DHCP IP (192.168...) which won't work on a home network
i added a new option host
in the rpc section, use that to set the expected host
This fixed using a hostname in the bind configuration e.g.
bind = local.tld:port