Okay. But how did they get the proper host header?

peeters · 2025-03-07T06:17:46 1741328266

There are a couple easy possibilities depending on server config.

1. Not using SNI, and all https requests just respond with the same cert. (Example, go to https://209.216.230.207/ and you'll get a certificate error. Go to the cert details and you'll see the common name is news.ycombinator.com).

2. http upgrades to https with a redirect to the hostname, not IP address. (Example, go to http://209.216.230.207/ and you get a 301 redirect to https://news.ycombinator.com)

INTPenis · 2025-03-07T06:21:47 1741328507

Could be a number of ways for example a default TLS cert, or a default vhost redirect.

I actually had a job once a few years ago where I was asked to hide a web service from crawlers and so I did some of these things to ensure no info leaked about the real vhost.

jimnotgym · 2025-03-07T06:20:24 1741328424

I don't think op said that they had the correct host header?

paxys · 2025-03-07T13:39:00 1741354740

Who says they did?