By default, the OPC will respond to all requests it receives regardless of the content of the HTTP request's Host header.
Question: How can I secure my on premise controller against host header attacks?
Answer: To provide security when accessing the OPC WebGUI, access on unidentified IPs can be restricted so that the server only accepts connections that match a given host name.
As the OPC is intended to be accessed via IP, these host names will be limited to any IP address that is bound to an interface on the server.
In situations where the publicly accessible IP address is not bound to an interface on the server, it is possible to configure an additional publicly routable IP address on the Settings page to enable the OPC to accept connections via this IP.
The On Premise Controller has a problem checker that will advise if secure access is not enabled.
clicking on the[access.secure] link will take you to the secure access page
Once enabled Secure Access cannot be disabled
Here you can enable secure access and restrict access to the OPC Web GUI to the aforementioned set of known IP addresses. Toggle the mode on and click 'save settings' to enable secure access.
Once Secure Access is enabled, any connections received that do not match one of the 'known' host headers will be rejected.
请登录或注册以提交评论。