Observation of expand_vhosts

pkcs12 · June 17, 2024, 5:26am

As I kept failing to scan a virtualhost web server behind an nginx, I started to look into this configuration “expand_vhosts”

I found that the default setting of “expand_vhosts” is “1”, which suggests “enabled”
In that condition, the scanner does not scan my target which is written in the virtualhost name.
Instead, the scanner resolves the IP of the virtualhost, looks up the FQDN, and scans only the FQDN host. That is, the scanner does not send any http_host_header related to the virtualhost I ordered.

When I turn off “expand_vhosts” by setting it to “0”, I see the “Name” column in the Report results aligned with my designated virtualhost. Perhaps that is the right way to scan a virtualhost hidden behind an nginx.

Lukas · June 18, 2024, 7:41am

You use the nginx as proxy or as web-server ?

pkcs12 · June 19, 2024, 11:43pm

nginx is the reverse proxy in front of the web server.
But I suspect that abnormal sympton might come from the two-way IPS on my ASUS router where all the outgoing traffic of Openvas goes. That explains everything.