geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <>
Subject Re: Virtual Hosts
Date Tue, 17 Jan 2006 11:50:41 GMT

Greg Wilkins wrote:
> David Jencks wrote:
>> On Jan 16, 2006, at 12:39 PM, Jeff Genender wrote:
>>> I don't agree here.  According to the Tomcat doc, the Host name is
>>> "Network name of this virtual host, as registered in your Domain Name
>>> Service server."  So it is a virtual host name.  Where I think  where the
>>> code can be expanded is searching the alias name for a match in  case the
>>> name is not the same as the VH.  This is probably a good thing to add.
>> OK, good.  I'm glad to find out the host name and virtual host name  are
>> connected.
> Well I don't know if I agree with this.
> Virtual host are just names that are supplied by the client application
> and they reflect how the client browser resolved the IP address.
> If I put an entry in my own local host file of "wibble" with the
> same IP address as, the I will be able to enter
>    http://wibble/context
> in my browser and the server will receive a request like
>    GET /context HTTP/1.1
>    Host: wibble
> The virtual host name mechanism is used to handle the fact that
> it is common to have many names mapping to the same IP.   
> The intent of the host field is to allow a server to write URLs
> in the same name space as the client - But there is
> nothing that requires these name to be meaningful to the
> server as a network address in anyway.
> The most important thing to remember with virtual hosts, is that it
> is user supplied data - and nothing to do with the network path.
> The host name can be almost anything, including incorrect IP addresses.

Greg, I think I established this point in this thread.  However, the VH
still needs DNS resolution and needs to be resolved by the client's DNS
server.  Therefore, it is fully correct that it needs to be the network
name of the virtual host, according to someone's DNS resolution.
Regardless, the user supplied must match the server's filtered name, and
works the same in Tomcat and Jetty from a URL filtering perspective.

> Some users incorrectly use virtual hosts as some form of security.
> I think it is important for us not to encourage this by treating 
> virtual host names as network addresssed.

I don't agree as the VH is still a network name, and unfortunately this
is supplied by the Tomcat folks, not us.

> OK - so this does not help this thread very much - but I just wanted
> to make it clear how virtual hosts work.

View raw message