Category: Web

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

I simply had to check with the RFC; by setting the Host: field of HTTP request to an IP address (instead of a host name), Cisco IOS violates section 14.23 of RFC 2616, which says:

The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource ... The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

If you run multiple web sites on a single physical server, it's highly likely that you rely on the ability of HTTP/1.1 clients to specify the Host: field in the HTTP request to indicate which web site they're trying to access.

Cisco IOS always inserts the web server's IP address (not the hostname) in the Host: field of the HTTP request, regardless of whether you enter IP address or hostname in the URL part of an IOS command that supports HTTP (for example, copy or more command) ... and regardless of whether the hostname is locally configured with the ip host command or resolved by an external DNS server specified in the ip name-server command.

End result: Cisco IOS-based routers (tested up to release 12.4(11)T) can access only the default web site on a web server hosting multiple web sites.

Cisco IOS has the ability to define command aliases - short words that substitute a whole exec-mode or configuration command. These aliases can also be used in command execution URLs. For example, if you define alias exec showdefault show ip route 0.0.0.0 0.0.0.0, you can view the status of the default route with the http://router/exec/showdefault/CR URL.

To optimize the space utilizations and file transfer operations in flash: memory, Cisco IOS web server allows files to be served from tar archives stored on flash: (or any other) filesystem. The URL syntax to access a file in a tar archive is /archive/archive-name-without-tar-suffix/file-in-archive.

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:

1. The home.html file if it exists in any filesystem;
2. The home.shtml file if it exists in any filesystem;
3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

These tips will help you get the most out of the Cisco IOS embedded web server:

• Home page for a Cisco IOS web server;
• Tar archives used by Cisco IOS web server;
• Multilevel web (HTTP) access to a router;
• Use command aliases to simplify Cisco IOS web server URLs;
• Include a default username/password in web request;
• Use Cisco IOS FTP server to bypass Microsoft "security patch".

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):

1. List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
2. Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.

ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept

3. Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
4. Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.

I've got a great question related to a previous post:

Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?

You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):

http://guest:guest@router/level/1/exec/show/ip/interface/brief

Note: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.

In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.

Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:

username guest privilege 1 password 0 guest
username admin privilege 15 password 0 admin

Note: unless you configure service password-encryption, the passwords in your configuration will remain in cleartext.

The last bit of the puzzle is the correct formation of the URLs: when executing a command on the router through a URL, you have to specify the required privilege level (the router will then prompt you for a username/password with at least that privilege level). The URL syntax is http://router/level/privilege-level/exec/command. For example, to execute non-privileged (level-1) show users command, use the following URL:

http://router/level/1/exec/show/users/CR

Note: the /CR suffix at the end of the URL tells the router to execute a command that contains optional (non-present) parameters.

If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:

ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address

The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.

The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):

Const RouterIP = "10.0.0.1" ' replace with router's IP address
Const EnablePassword = "password" ' replace with enable password

Set WebRq = CreateObject("MSXML2.XMLHTTP")
WebRq.Open "GET","http://" & RouterIP & "/level/15/exec/reload/CR",false,"Username",EnablePassword
WebRq.Send

And here is the equivalent PERL code for the open source community:

use LWP::UserAgent;

$routerIP = "10.0.0.1";
$enablePwd = "password";

$ua = LWP::UserAgent->new;
$req = HTTP::Request->new(GET => "http://$routerIP/level/15/exec/reload/CR");
$req->authorization_basic('', $enablePwd);
print $ua->request($req)->as_string;

By default, the username specified in the web request is ignored by the router and the password has to be the enable password. Of course, if you change the authentication scheme on the router with the ip http authentication configuration command, you'd use proper username/password pair in the HTTP request.