I followed the steps to install OpenVAS9 on Ubuntu 18.04 (Bionic) on an AWS instance and I’m running into an issue where I receive the following error while attempting to connect to the OpenVAS Manager interface on port 4000:
The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.
Several solutions I found referenced the following command: gsad --allow-header-host "gsa.example.com"
However, since I have a complex DNS name and no real IP address to directly connect to my OpenVAS Manager, I’m unable to connect. When I run the “gsad” command on my AWS Ubuntu instance, I receive the following error message: Warning: MHD_USE_THREAD_PER_CONNECTION must be used only with MHD_USE_INTERNAL_POLLING_THREAD. Flag MHD_USE_INTERNAL_POLLING _THREAD was added. Consider setting MHD_USE_INTERNAL_POLLING_THREAD explicitly.
I confirmed firewalls are not causing an issue, however I’m not sure what to do here since it doesn’t accept my AWS DNS name: ec2-xxx-xxx-xxx-xxx.us-east-1.compute.amazonaws.com
I suppose you are connecting to the GSAD by using a web browser and not via GMP to the GVM (former known as OpenVAS Manager).
It is still the firewall or to be more specific the AWS double NAT, if you don´t wanna set your hostname correct you may either use a VPN or a Tunnel to connect to the private IP Address where you bound the GSAD.
So to follow-up on my other post here (Unable to connect to GSA on AWS due to invalid host header) since it’s been six days since my account has yet to be approved to be able to reply, the issue is that AWS provides funky DNS names that can’t be changed and when I go to use gsad --allow-header-host "gsa.example.com", it fails.
I allowed ports through my Security Groups, so it is not the firewall for the last time. If it was, I’d never get the following error message to begin with:The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.. How can I disable this host header check? That’d be much simpler.
I’m not sure how to set my host header that has weird AWS DNS names. Do I have to be browsing to it via localhost for initial security reasons since I’m trying to do all this on a cloud instance?
Also, if an admin reads this, can they remove the account hold on my other account? Thanks!
On which url do you want to access gsad? That’s the url to be set for --allow-header-host. You need either a static ip or static dns name. It won’t work without. When accessing gsad via a browser the browser sends a Host header in the http request. The Host header entry is derived from the url you have typed in the address bar. If the Host header in the http request doesn’t match the setting of --allow-header-host the request will be denied and you’ll get the warning.
The only exceptions of this rule are the loopback addresses localhost, 127.0.0.1 and ::1.
We have a bunch of openvas in AWS, but none of them have public facing interfaces. You may be able to use putty to proxy your browser connection through ssh. See the example at https://www.akadia.com/services/ssh_putty.html and adjust port numbers and addresses accordingly. I’m not sure what that host header will be to the gsa, but it’ll consistent and can be added to --allow-header-host when you figure it out.