Nancy always rewrite localhost to 0.0.0.0

That is the way the .Net implementation System.Net.HttpListener works (the underlying class used by Nancy 1.4). When configured for localhost it binds to 0.0.0.0, this project has no control over that. What the configuration "RewriteLocalHost" does control is the URL prefix that is added the the HttpListener.Prefixes. When true "http://localhost:12345" is changed to "http://+:12345" which is a Windows netsh syntax to say accept http traffic on all interfaces, but also requires an URL reservation for non-administrative users.

Thank you for answer. I think this should be well documented. This behavior is in my opinion not excepted and may be security gap.

This behavior is in my opinion not excepted and may be security gap.

Why is this a "security gap"?

@khellang found this info:

In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine. If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host listens on 0.0.0.0, it will be reachable at both of those IPs
source: https://www.howtogeek.com/225487/what-is-the-difference-between-127.0.0.1-and-0.0.0.0/

In the case of an http server running on Windows, the accessible interfaces
depends on the url acl configurations.

On Wed, Jun 6, 2018, 2:45 PM mfaticaearnin notifications@github.com wrote:

@khellang https://github.com/khellang found this info:

In the context of servers, 0.0.0.0 means all IPv4 addresses on the local
machine. If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a
server running on the host listens on 0.0.0.0, it will be reachable at both
of those IPs
source:
https://www.howtogeek.com/225487/what-is-the-difference-between-127.0.0.1-and-0.0.0.0/

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/NancyFx/Nancy/issues/2904#issuecomment-395207780, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AEEilpOy-5_Z23cnX1SMmAN8Bqiy30TEks5t6D9kgaJpZM4UcsKT
.

I know what binding to 0.0.0.0 (and [::]) means, but that doesn't mean it's a "security gap". This is HttpListener behavior; it'll answer with a 400 status code for anything but localhost. If you believe this is a security issue, you should probably disclose it to Microsoft so they can patch it 😊

Unfortunately, I don't think the Nancy team will be able to document all behaviors of all .NET APIs used in the framework, but if any one of you care enough, you could try editing the wiki to add some information about this.

@khellang I understand, that this is HttpListener behaviour, but this is Nancy behaviour too. Maybe this is unfixable, because too much solution depend on this behaviour, but this is still gap, and should be documented.

I work with financial partners, and they have very restricted security policy. You tell, that HttpListener answer 400, but HTTP i application layer. On the bottom is unsecured TCP layer - everyone can send message. Some policy tell that some one application can't in our company listening on TCP port from outside address.

1 When someone send request and server respond 400 this is some information - ok, maybe this is HttpListener, or Nancy - ok lets try some hidden exploit on HttpListener, maybe we access to some services on this machine.

2 Application must reserve url acl, and Windows user must have admin rights. In someone companies this is big problem.

Solution of my problem is use 127.0.0.1, but I spend some hours to find this behaviour. I want find some time in weekend and edit Nancy Wiki and Documentation if I have any rights to do this.

Thank all for discussion!