# The 'Host' field contained in Http header is invalid



## ziomario (Oct 4, 2021)

Hello,

I tried to configure a DDNS with DynDNS.it on my router "Sercomm VD625 (AGCOMBO)" and with every browser I use I always get the same error "The 'Host' field contained in Http header is invalid" ; I have installed and configured "*Apache, PHP, and MySQL*" on *FreeBSD 13* following this tutorial :


https://linuxhint.com/install-apache-php-mysql-on-freebsd/


to be sure that the problem wasn't caused by DDNS,I tried to write on the browser my public IP,but I've got the same error. The odd thing is that I'm forced to specify the HTTPS protocol on the address bar. If I don't use it,it adds it. Otherwise the connection is refused.

The domain is linked to the public IP correctly and the error happens when I use the domain name and / or the public IP. The DDNS is well configured,because inside the proper router section I can read "*updated successfully*".


When I open the website "http://192.168.1.6/" on my browser, (it's the IP number assigned to FreeBSD), I see the message "It works" ,but when I open the web "ziomario.ns0.it" I see the error "The 'Host' field contained in Http header is invalid" so I think that this error is not caused by some wrong setting correlated with the installation of "*Apache, PHP, and MySQL*" but maybe it is caused by some different web component that I don't know. Can someone give me some suggestion about what could be wrong ? thanks.


----------



## SirDice (Oct 4, 2021)

ziomario said:


> but when I open the web "ziomario.ns0.it" I see the error "The 'Host' field contained in Http header is invalid"


You're trying to access your _internal_ website using the _external_ address. It depends a bit on your router and its capabilities if it's going to like that, it has to do a so-called hairpin. In other words from inside your local network you connect to the _external_ address, the modem/router then has to redirect that traffic back inside to the 192.168.1.6 address.


----------



## ziomario (Oct 4, 2021)

SirDice said:


> You're trying to access your _internal_ website using the _external_ address. It depends a bit on your router and its capabilities if it's going to like that, it has to do a so-called hairpin. In other words from inside your local network you connect to the _external_ address, the modem/router then has to redirect that traffic back inside to the 192.168.1.6 address.



Is there something that I can do to resolve this issue ? To be honest I seen this situation only few times. Usually I can surf my internal web address using the external IP. I'm almost sure that this function is supported by the router...


----------



## gpw928 (Oct 4, 2021)

In any IP stack, _*all*_ IP addresses on a host are accessible from *any* NIC on that host.  Hence an internal client opening a connection to the external IP address of your firewall (to access an Internet accessible service) will reach that IP address via the internal NIC.  This is really confusing, because you usually expect connections to the external IP to arrive via the external NIC.

Serverfault has a good discussion on the issue.

In essence, your solutions are to:

ignore it (make internal clients use the internal IP address); 
use a split DNS (so internal clients use an internal IP address for your web site, and external clients use the external IP address); or
configure your firewall to support hairpin NAT (so that connections to your external IP address from inside your network have NAT applied so that response packets are returned correctly).


----------



## ziomario (Oct 4, 2021)

I never configured something like that. So,why usually I don't need it and only sometimes I needed it ? So,If I've understood well,you can open my domain name,ziomario.ns0.it,right ? my website is accessible from outside my LAN,right ? if yes,what are you seeing now ?


----------



## gpw928 (Oct 4, 2021)

You always need either split DNS or hairpin NAT to access services on your external IP from inside your private network.

Right now, there is nothing listening on port 443, and I'm getting a "connection refused" on port 80:
	
	



```
The following error was encountered while trying to retrieve the URL: http://ziomario.ns0.it/
Connection to 79.53.69.193 failed.
The system returned: (61) Connection refused
The remote host or network may be down. Please try the request again.
```


----------



## ziomario (Oct 5, 2021)

I don't know why,it persists to switch from http to https. The question is that if my domain name starts with http,I can see that "it works" ; if it starts with "https" it doesn't. So :

1) http://ziomario.ns0.it/ : it works
2) https://ziomario.ns0.it/ : unable to connect
3) https://ziomario.ns0.it:80/ : secure connection failed
4) http://ziomario.ns0.it/test.php : blank screen
5) https://ziomario.ns0.it/test.php : unable to connect


----------



## gpw928 (Oct 5, 2021)

The HTTP connection http://ziomario.ns0.it (79.53.69.193:80) is now working on the Internet.

Have you acquired and installed the SSL certificate required to facilitate the encryption required for the HTTPS protocol?

If not, I suggest you solve the original issue (internal access to the external IP address) and the CGI problem (4 above) first.  The logs should tell you something about what happened with "test.php".

Item 3 above makes little sense.  HTTPS is, by convention, on port 443.

To find out what's listening on your web server use the lsof(8) command, e.g.`lsof -i tcp:80`.


----------



## ziomario (Oct 5, 2021)

I've "followed" the Felix tutorial that I found here :


https://forums.freebsd.org/threads/creating-a-ssl-certificate.1222/


adapting it to my situation as follows :


Edited /usr/local/etc/apache24/httpd.conf file:

#    Uncommented:

```
Include etc/apache24/extra/httpd-ssl.conf
```
 

Edited /usr/local/etc/apache24/extra/httpd-ssl.conf:     

#    Uncommented and changed with my domain name:

```
ServerName ziomario.ns0.it:443
```


#    Uncommented and changed with my email address:

```
ServerAdmin marietto2008@gmail.com
```

I ran:


```
cd /usr/local/etc/apache24
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
chmod 0400 /usr/local/etc/apache24/server.key
chmod 0400 /usr/local/etc/apache24/server.crt

cd /usr/local/etc/apache24
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
```


In the httpd.conf, needed to turn on mod_ssl.so:


```
LoadModule ssl_module modules/mod_ssl.so
```


turned on mod_socache_shmcb.so:


```
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
```


otherwise the error "*Can't start Apache: Invalid command 'SSLCipherSuite*' will come up.

Restarted Apache with : 
	
	



```
sudo service apache24 restart
```


but Firefox gives the error below :


*Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to ziomario.ns0.it. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Learn more…

ziomario.ns0.it uses an invalid security certificate.*

*The certificate is not trusted because it is self-signed.*

*Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT*


----------



## eternal_noob (Oct 5, 2021)

ziomario said:


> but Firefox gives the error below :


This is normal because you use a self-signed certificate.


----------



## ziomario (Oct 5, 2021)

eternal_noob said:


> This is normal because you use a self-signed certificate.



But when I try to connect to : https://ziomario.ns0.it 

it says that the connection is not secure. If I use https,should be secure. Right ?


----------



## SirDice (Oct 5, 2021)

ziomario said:


> If I use https,should be secure. Right ?


Sure, you can accept the self-signed certificate, but someone else might not trust that. You should look into using a Let's encrypt certificate, that will get you a _trusted_ SSL certificate for free. It's a trusted certificate authority, only thing is that the certificate is only valid for three months. But various tools exist to requests and automatically refresh that.

security/py-certbot # easiest to use, does have a lot of python dependencies
security/acme.sh # No dependencies but requires some additional scripting to make it work.


----------



## eternal_noob (Oct 5, 2021)

ziomario said:


> it says that the connection is not secure


This message is misleading. It IS secure but it is not trusted.

You have 3 possibilities here:
1 - Keep your self-signed certificate and make your users accept it
2 - Take a lot of money and buy a trusted one
3 - Do what SirDice said and use the Lets encrypt certificates.


----------



## ziomario (Oct 5, 2021)

Anyway,when I've opened ports 80 and 443 on my router,the error "The 'Host' field contained in Http header is invalid" is gone.


----------



## ziomario (Oct 5, 2021)

eternal_noob said:


> This message is misleading. It IS secure but it is not trusted.
> 
> You have 3 possibilities here:
> 1 - Keep your self-signed certificate and make your users accept it
> ...


For sure I will grab the n. 2


----------



## SirDice (Oct 5, 2021)

SSL certificates from Verisign and others aren't that expensive. More expensive than _free_ that's for sure. For mom&pop websites and my own cruft a Let's Encrypt certificate works just fine. It takes some setting up, had some issues with the deployment script at first but once I worked out the kinks it's been rather uneventful.


----------



## Geezer (Oct 5, 2021)

After having got certificates in the past from issuing bodies that ask loads of questions and do not realise why they might not even be trustworthy, now I only use Lets Encrypt. Use them for my websites and my client's websites. Not difficult. All the instructions are on the Lets Encrypt website.


----------



## ziomario (Oct 5, 2021)

Regarding the other problem,that I have : I have added the code below to /usr/local/www/apache24/data/test.php

 <?php phpinfo(); ?>

but when I try to open : http://ziomario.ns0.it/test.php ; I see a blank page. Instead I should see something like this :



			https://unixcop.com/wp-content/uploads/2021/02/image-21-1024x619.png.webp
		


I suspect that something is still broken.


----------



## SirDice (Oct 5, 2021)

ziomario said:


> I suspect that something is still broken.


Look in /var/log/httpd-error.log for example. Make sure php_fpm is actually running and you've added the correct settings in that /usr/local/etc/apache24/modules.d/001_mod-php.conf file (the example appears to have everything remarked, make sure you didn't copy/paste the # into it too).


----------



## ziomario (Oct 5, 2021)

SirDice said:


> Look in /var/log/httpd-error.log for example. Make sure php_fpm is actually running and you've added the correct settings in that /usr/local/etc/apache24/modules.d/001_mod-php.conf file (the example appears to have everything remarked, make sure you didn't copy/paste the # into it too).



bingo. I know that # means comment and it ignores,but anyway,I've been inattentive. it works. thanks. you are a precious resource for everyone.


----------

