Date: Sun, 16 Feb 1997 14:34:56 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
To: new-httpd@hyperreal.com
Subject: Re: server dies if one vhost can't be resolved
In-Reply-To: <Pine.LNX.3.95dg2.970216033417.1815D-100000@twinlark.arctic.org>
Message-ID: <Pine.BSF.3.95.970216143206.3845J-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Sun, 16 Feb 1997, Dean Gaudet wrote:

> Actually, see my rant about DNS and security from last year :)  It was
> condensed into some notes in about using DNS for vhosts can be insecure... 
> although it might not be in your setup.  Essentially the example I gave
> was a website provider with customers A and B.  B does their own DNS.  If
> the provider uses www.A.com and www.B.com in the <virtualhost> statement
> then B can steal A's address depending on the ordering of the statements
> simply by changing DNS.  This is facilitated by the fact that vhosts are
> searched last to first. 
> 
> At any rate, I'm not sure what the two line fix would be... I guess you
> could just stick 0.0.0.0 in as the address and assume it wouldn't ever
> match it. 

Exactly, something like that.  It means that the server can be running
without all of it being running, but in most cases it is far better for
one of a few hundred virtual domains to be active than for nothing to
work.  I agree that in many cases you should have IPs and ServerName's as
appropriate, but...

There used to be a similar problem if the docroot didn't exist for a
virtual domain, but that was fixed a while ago.

> 
> Dean
> 
> On Sun, 16 Feb 1997, Marc Slemko wrote:
> 
> > Right now the entire server dies if one vhost can't be resolved.  This is
> > very annoying.  Don't suppose anyone is up for a two line fix that
> > magically makes things work?
> > 
> > 
>