Hardening network security configuration: restrict incoming requests to selected HOSTS

Protect BigFix Inventory deployment by specifying allowed HOST in the HTTP header when connecting.

About this task

BigFix Inventory server default setup leaves unrestricted access to the BigFix Inventory server using any URL.

Procedure

Edit the <BFI Install dir>\wlp\usr\servers\server1\customization.xml.
Add or uncomment the virtualHost tag with the id default_host.
Add all of the accepted hosts. Each as a separate hostAlias tag.
Add localhost as an accepted host as a separate hostAlias tag.
At the end, virtualHost should look like in an example below.
Restart BigFix Inventory Server

Example

This is an example of <BFI Install dir>\wlp\usr\servers\server1\customization.xml with virtualHost section and accepted three URLs to reach BigFix Inventory server:

bfi_server.acme.com:9081
bfi_server_alternate.dns.name.org:9081
localhost:9081

Important: Any other URL, including referring through the IP address, is rejected unless it is included as hostAlias. For example, 127.0.0.1:9081 will respond with HTTP Code 404 and a rendered page with the text:

Not Found (Please wait while the application is
                        loading...)

Ensure that end users use only URLs included as hostAlias.

<server> 
    <virtualHost id="default_host">
        <hostAlias>bfi_server.acme.com:9081</hostAlias>
        <hostAlias>bfi_server_alternate.dns.name.org:9081</hostAlias>
        <hostAlias>localhost:9081</hostAlias>
    </virtualHost>
</server>