feat: measure host-header-mismatch for HTTP endpoint (no TLS) (#2093)

DeagleGross · web-flow · commit 6cb799e5e734 · 2025-05-27T13:38:44.000+02:00
* try without TLS

* http scheme for server

* httpsys httponly

* fix NRE

* dont rely on a separate flag

* settings to init
diff --git a/scenarios/rejection.benchmarks.yml b/scenarios/rejection.benchmarks.yml
@@ -20,6 +20,7 @@ jobs:
       project: src/BenchmarksApps/TLS/HttpSys/HttpSys.csproj
     readyStateText: Application started.
     variables:
+      serverScheme: https
       # behavioral settings
       mTLS: false # enables settings on http.sys to negotiate client cert on connections
       tlsRenegotiation: false # enables client cert validation
@@ -30,7 +31,7 @@ jobs:
       httpSysLogs: false
       statsEnabled: false
       logRequestDetails: false
-    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --httpSysLogs {{httpSysLogs}} --logRequestDetails {{logRequestDetails}} --httpSysUrlPrefix {{httpSysUrlPrefix}}"
+    arguments: "--urls {{serverScheme}}://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --httpSysLogs {{httpSysLogs}} --logRequestDetails {{logRequestDetails}} --httpSysUrlPrefix {{httpSysUrlPrefix}}"
 
   kestrelServer:
     source:
@@ -39,6 +40,7 @@ jobs:
       project: src/BenchmarksApps/TLS/Kestrel/Kestrel.csproj
     readyStateText: Application started.
     variables:
+      serverScheme: https
       # behavioral settings
       mTLS: false
       tlsRenegotiation: false
@@ -49,7 +51,7 @@ jobs:
       certValidationConsoleEnabled: false
       statsEnabled: false
       logRequestDetails: false
-    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --tlsProtocols {{tlsProtocols}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --logRequestDetails {{logRequestDetails}} --enableHostHeaderValidation {{enableHostHeaderValidation}}"
+    arguments: "--urls {{serverScheme}}://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --tlsProtocols {{tlsProtocols}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --logRequestDetails {{logRequestDetails}} --enableHostHeaderValidation {{enableHostHeaderValidation}}"
 
 scenarios:
 
@@ -92,6 +94,21 @@ scenarios:
         customHeaders:
         - "Host: google.com"
 
+  httpsys-hostheader-mismatch-notls:
+    application:
+      job: httpSysServer
+      variables:
+        httpSysUrlPrefix: "http://testserver:{{serverPort}}"
+        serverScheme: http
+    load:
+      job: wrk
+      variables:
+        path: /hello-world
+        connections: 32
+        serverScheme: http
+        customHeaders:
+        - "Host: google.com"
+
 # Kestrel
   
   kestrel-encoded-url:
@@ -131,3 +148,18 @@ scenarios:
         serverScheme: https
         customHeaders:
         - "Host: google.com"
+
+  kestrel-hostheader-mismatch-notls:
+    application:
+      job: kestrelServer
+      variables:
+        enableHostHeaderValidation: true
+        serverScheme: http
+    load:
+      job: wrk
+      variables:
+        path: /hello-world
+        connections: 32
+        serverScheme: http
+        customHeaders:
+        - "Host: google.com"
diff --git a/src/BenchmarksApps/TLS/HttpSys/Program.cs b/src/BenchmarksApps/TLS/HttpSys/Program.cs
@@ -16,22 +16,30 @@
 
 // endpoints
 var listeningEndpoints = builder.Configuration["urls"] ?? "https://localhost:5000/";
-var httpsIpPort = listeningEndpoints.Split(";").First(x => x.Contains("https")).Replace("https://", "");
+var httpsIpPort = listeningEndpoints.Split(";").FirstOrDefault(x => x.Contains("https"))?.Replace("https://", "");
+var httpOnly = httpsIpPort is null; // in case TLS is disabled. Only for debug purposes - this app is designed to measure TLS scenario
+if (httpOnly)
+{
+    Console.WriteLine("[Note] Server scheme is HTTP, not HTTPS.");
+}
 
 // debug
 var writeCertValidationEventsToConsole = bool.TryParse(builder.Configuration["certValidationConsoleEnabled"], out var certValidationConsoleEnabled) && certValidationConsoleEnabled;
 var statsEnabled = bool.TryParse(builder.Configuration["statsEnabled"], out var connectionStatsEnabledConfig) && connectionStatsEnabledConfig;
 var logRequestDetails = bool.TryParse(builder.Configuration["logRequestDetails"], out var logRequestDetailsConfig) && logRequestDetailsConfig;
 
-var sslCertConfiguration = NetshConfigurator.PreConfigureNetsh(
-    httpsIpPort,
+if (!httpOnly)
+{
+    var sslCertConfiguration = NetshConfigurator.PreConfigureNetsh(
+    httpsIpPort!,
     certPublicKeyLength: certPublicKeyLength,
     clientCertNegotiation: mTlsEnabled ? NetShFlag.Enable : NetShFlag.Disabled,
     disablesessionid: NetShFlag.Enable,
     enableSessionTicket: NetShFlag.Disabled);
 
-// because app shutdown is on a timeout, we need to prepare the reset (pre-generate certificate)
-NetshConfigurator.PrepareResetNetsh(httpsIpPort, certPublicKeyLength: 4096);
+    // because app shutdown is on a timeout, we need to prepare the reset (pre-generate certificate)
+    NetshConfigurator.PrepareResetNetsh(httpsIpPort, certPublicKeyLength: 4096);
+}
 
 #pragma warning disable CA1416 // Can be launched only on Windows (HttpSys)
 builder.WebHost.UseHttpSys(options =>
@@ -126,7 +134,10 @@
 
 await app.StartAsync();
 
-NetshConfigurator.LogCurrentSslCertBinding(httpsIpPort);
+if (!httpOnly)
+{
+    NetshConfigurator.LogCurrentSslCertBinding(httpsIpPort!);
+}
 
 Console.WriteLine("Application Info:");
 if (mTlsEnabled)
@@ -148,6 +159,9 @@
 await app.WaitForShutdownAsync();
 Console.WriteLine("Application stopped.");
 
-Console.WriteLine("Starting netsh rollback configuration...");
-NetshConfigurator.ResetNetshConfiguration(httpsIpPort);
-Console.WriteLine($"Reset netsh (ipport={httpsIpPort}) completed.");
+if (!httpOnly)
+{
+    Console.WriteLine("Starting netsh rollback configuration...");
+    NetshConfigurator.ResetNetshConfiguration(httpsIpPort);
+    Console.WriteLine($"Reset netsh (ipport={httpsIpPort}) completed.");
+}
diff --git a/src/BenchmarksApps/TLS/HttpSys/appsettings.Development.json b/src/BenchmarksApps/TLS/HttpSys/appsettings.Development.json
@@ -9,5 +9,6 @@
   "httpSysLogs": "true",
   "tlsRenegotiation": "false",
   "certValidationConsoleEnabled": "false",
-  "httpSysUrlPrefix": "https://testserver:5000"
+  // "httpSysUrlPrefix": "https://testserver:5000",
+  "httpOnly": "false"
 }
diff --git a/src/BenchmarksApps/TLS/Kestrel/Program.cs b/src/BenchmarksApps/TLS/Kestrel/Program.cs
@@ -21,10 +21,25 @@
 var certPublicKeySpecified = int.TryParse(builder.Configuration["certPublicKeyLength"], out var certPublicKeyConfig);
 var certPublicKeyLength = certPublicKeySpecified ? certPublicKeyConfig : 2048;
 var enableHostHeaderValidation = bool.TryParse(builder.Configuration["enableHostHeaderValidation"], out var enableHostHeaderValidationConfig) && enableHostHeaderValidationConfig;
+var supportedTlsVersions = ParseSslProtocols(builder.Configuration["tlsProtocols"]);
 
 // endpoints
 var listeningEndpoints = builder.Configuration["urls"] ?? "https://localhost:5000/";
-var supportedTlsVersions = ParseSslProtocols(builder.Configuration["tlsProtocols"]);
+
+// determine if listening is expected only on HTTP scheme
+var httpOnly = true;
+foreach (var endpoint in listeningEndpoints.Split([';'], StringSplitOptions.RemoveEmptyEntries))
+{
+    var urlPrefix = UrlPrefix.Create(endpoint);
+    if (urlPrefix.Scheme == "https")
+    {
+        httpOnly = false;
+    }
+}
+if (httpOnly)
+{
+    Console.WriteLine("[Note] Server scheme is HTTP, not HTTPS.");
+}
 
 // debug
 var writeCertValidationEventsToConsole = bool.TryParse(builder.Configuration["certValidationConsoleEnabled"], out var certValidationConsoleEnabled) && certValidationConsoleEnabled;
@@ -71,6 +86,22 @@ void ConfigureListen(KestrelServerOptions serverOptions, IConfigurationRoot conf
 
         serverOptions.Listen(endpoint, listenOptions =>
         {
+            var protocol = config["protocol"] ?? "";
+            if (protocol.Equals("h2", StringComparison.OrdinalIgnoreCase))
+            {
+                listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
+            }
+            else if (protocol.Equals("h2c", StringComparison.OrdinalIgnoreCase))
+            {
+                listenOptions.Protocols = HttpProtocols.Http2;
+            }
+
+            if (httpOnly)
+            {
+                // all TLS related settings should be below
+                return;
+            }
+
             var certificatePath = Path.Combine("certificates", $"testCert-{certPublicKeyLength}.pfx");
             Console.WriteLine($"Using certificate: {certificatePath}");
 
@@ -107,16 +138,6 @@ void ConfigureListen(KestrelServerOptions serverOptions, IConfigurationRoot conf
                     options.ClientCertificateValidation = AllowAnyCertificateValidationWithLogging;
                 }
             });
-
-            var protocol = config["protocol"] ?? "";
-            if (protocol.Equals("h2", StringComparison.OrdinalIgnoreCase))
-            {
-                listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
-            }
-            else if (protocol.Equals("h2c", StringComparison.OrdinalIgnoreCase))
-            {
-                listenOptions.Protocols = HttpProtocols.Http2;
-            }
         });
     }
 });
@@ -204,7 +225,11 @@ bool AllowAnyCertificateValidationWithLogging(X509Certificate2 certificate, X509
 await app.StartAsync();
 
 Console.WriteLine("Application Info:");
-LogOpenSSLVersion();
+if (!httpOnly)
+{
+    LogOpenSSLVersion();
+    Console.WriteLine($"\tsupported TLS versions: {supportedTlsVersions}");
+}
 if (mTlsEnabled)
 {
     Console.WriteLine($"\tmTLS is enabled (client cert is required)");
@@ -221,7 +246,6 @@ bool AllowAnyCertificateValidationWithLogging(X509Certificate2 certificate, X509
 {
     Console.WriteLine($"\tenabled logging stats to console");
 }
-Console.WriteLine($"\tsupported TLS versions: {supportedTlsVersions}");
 Console.WriteLine($"\tlistening endpoints: {listeningEndpoints}");
 Console.WriteLine("--------------------------------");
 
diff --git a/src/BenchmarksApps/TLS/Kestrel/appsettings.Development.json b/src/BenchmarksApps/TLS/Kestrel/appsettings.Development.json
@@ -8,5 +8,6 @@
   "mTLS": "false",
   "tlsRenegotiation": "false",
   "certValidationConsoleEnabled": "false",
-  "enableHostHeaderValidation": "false"
+  "enableHostHeaderValidation": "false",
+  "httpOnly": "false"
 }

Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,6 @@`
`9`	`9`	`"httpSysLogs": "true",`
`10`	`10`	`"tlsRenegotiation": "false",`
`11`	`11`	`"certValidationConsoleEnabled": "false",`
`12`		`- "httpSysUrlPrefix": "https://testserver:5000"`
	`12`	`+ // "httpSysUrlPrefix": "https://testserver:5000",`
	`13`	`+ "httpOnly": "false"`
`13`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,6 @@`
`8`	`8`	`"mTLS": "false",`
`9`	`9`	`"tlsRenegotiation": "false",`
`10`	`10`	`"certValidationConsoleEnabled": "false",`
`11`		`- "enableHostHeaderValidation": "false"`
	`11`	`+ "enableHostHeaderValidation": "false",`
	`12`	`+ "httpOnly": "false"`
`12`	`13`	`}`