Level 88
We need some more info here? When do you get the error? What code is used then?
Aug 11, 2015
13
Level 2
UnexpectedValueException in Request.php
Hi Guys,
Every couple of days I get this entry in the error logs for my lumen app (latest version):
[2015-08-11 06:57:12] lumen.ERROR: exception 'UnexpectedValueException' with message 'Invalid Host "*.[DOMAIN].[TLD]"' in /apps/[APPNAME]/vendor/symfony/http-foundation/Request.php:1291
Does anyone know what causes this and how I can fix this?
Thanks!
Level 2
This is completely random, I'm not doing anything with my app at the moment of the error and it looks like as if someone tries to access my app.
Level 88
Can you recreate the issue? I can't debug for you when I don't know anything about the application.. You have to debug for yourself!
Level 2
Nope, there is no way to reproduce it, it looks like someone or a bot is trying to access my application through *.domain.tld instead of app.domain.tld and Laravel throws the error for that.
Level 2
I also did a clean lumen install and when just leaving that open on a production server (with nothing else installed) it also gave the same errors.
Level 2
No one has this error and a solution for it?
[2015-11-16 19:24:27] lumen.ERROR: exception 'UnexpectedValueException' with message 'Invalid Host "*.domain.tld"' in /app/vendor/symfony/http-foundation/Request.php:1291
Stack trace:
#0 /app/vendor/symfony/http-foundation/Request.php(1088): Symfony\Component\HttpFoundation\Request->getHost()
#1 /app/vendor/symfony/http-foundation/Request.php(1120): Symfony\Component\HttpFoundation\Request->getHttpHost()
#2 /app/vendor/symfony/http-foundation/Request.php(1796): Symfony\Component\HttpFoundation\Request->getSchemeAndHttpHost()
#3 /app/vendor/symfony/http-foundation/Request.php(1104): Symfony\Component\HttpFoundation\Request->prepareRequestUri()
#4 /app/vendor/symfony/http-foundation/Request.php(1848): Symfony\Component\HttpFoundation\Request->getRequestUri()
#5 /app/vendor/symfony/http-foundation/Request.php(974): Symfony\Component\HttpFoundation\Request->prepareBaseUrl()
#6 /app/vendor/symfony/http-foundation/Request.php(1914): Symfony\Component\HttpFoundation\Request->getBaseUrl()
#7 /app/vendor/symfony/http-foundation/Request.php(930): Symfony\Component\HttpFoundation\Request->preparePathInfo()
#8 /app/vendor/illuminate/http/Request.php(108): Symfony\Component\HttpFoundation\Request->getPathInfo()
#9 /app/vendor/illuminate/http/Request.php(156): Illuminate\Http\Request->path()
#10 /app/app/Http/Middleware/AdminMiddleware.php(16): Illuminate\Http\Request->is('v1/data/*')
#11 [internal function]: App\Http\Middleware\AdminMiddleware->handle(Object(Illuminate\Http\Request), Object(Closure))
#12 /app/vendor/illuminate/pipeline/Pipeline.php(124): call_user_func_array(Array, Array)
#13 [internal function]: Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#14 /app/vendor/illuminate/pipeline/Pipeline.php(103): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#15 /app/vendor/laravel/lumen-framework/src/Application.php(1411): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#16 /app/vendor/laravel/lumen-framework/src/Application.php(1185): Laravel\Lumen\Application->sendThroughPipeline(Array, Object(Closure))
#17 /app/vendor/laravel/lumen-framework/src/Application.php(1125): Laravel\Lumen\Application->dispatch(NULL)
#18 /app/public/index.php(28): Laravel\Lumen\Application->run()
#19 {main}
Level 4
I also have the same problem running Laravel 5.1.25. I'm clueless as to a solution, though. I suspect that the culprits are webcrawlers.
Level 1
You can also see the same behavior for injection attacks:
local.ERROR: exception 'UnexpectedValueException' with message 'Invalid Host "<img src="" onerror="alert(document.cookie)">"' in path\webserver\ssl\vendor\symfony\http-foundation\Request.php:1291
If we take a look at the code:
// as the host can come from the user (HTTP_HOST and depending on the configuration, SERVER_NAME too can come from the user)
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
// use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
if ($host && '' !== preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '', $host)) {
throw new \UnexpectedValueException(sprintf('Invalid Host "%s"', $host));
}
Either the exception is going to need handling, or you're going to have to override the 'getHost()' method to return an actual value and not an exception.
If it's domain based and not looking like an attack, I'd be checking the DNS records for mistakes and / or any redirects in the app that could be going to the wrong URL. Failing that, someone is just hitting the app with an invalid host. Not a lot you can do about it apart from handle it in one of the two ways above as far as I can see.
Level 2
I think I "fixed" it, I added this to my nginx conf.
server {
## Deny illegal Host headers
if ($host !~* ^(myapp.tld)$ ) {
## 444 to make sure to return no data at all.
return 444;
}
}
Level 1
@hsl, where did you put this code?
Level 2
In my nginx conf
Level 2
I am getting a similar issue with Apache server and laravel5.4
Level 1
You can also add a default server that does not match the allowed hosts:
server {
listen 80 default_server;
return 444;
}
(source)
Please or to participate in this conversation.