Received: (from majordom@localhost)
	by hyperreal.org (8.8.5/8.8.5) id CAA28113;
	Sun, 5 Oct 1997 02:44:55 -0700 (PDT)
Received: from paris.ics.uci.edu (mmdf@paris.ics.uci.edu [128.195.1.50])
	by hyperreal.org (8.8.5/8.8.5) with SMTP id CAA28109
	for <new-httpd@apache.org>; Sun, 5 Oct 1997 02:44:52 -0700 (PDT)
Received: from kiwi.ics.uci.edu by paris.ics.uci.edu id aa24169;
          5 Oct 97 2:42 PDT
To: new-httpd@apache.org
Subject: Re: more vhost thoughts 
In-reply-to: Your message of "Sun, 05 Oct 1997 02:16:38 PDT."
             <Pine.LNX.3.95dg3.971005020635.20438C-100000@twinlark.arctic.org>
Date: Sun, 05 Oct 1997 02:41:25 -0700
From: "Roy T. Fielding" <fielding@kiwi.ics.uci.edu>
Message-ID: <9710050242.aa24169@paris.ics.uci.edu>
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org
Status: O
X-Status: 

>If a client connects to port X and gives "Host: foo:Y" where Y != X,
>should the server reject the request? 

The HTTP level may not be aware of a firewall/router changing the
real port number within an intranet, for whatever reason, and thus the
client may think it is talking to port 80 even though the connection
is on some other port.  This isn't the client's fault, so an error is
not appropriate.  I suggest just ignoring the Host header's port
number and only using the physical port for selecting the server.

>Right now my code does it's first pass using X (this is the pass which
>determines which pool of name-vhosts to use, and it happens before headers
>are read), then does the second pass using Y (this is when it checks the
>hostname, and this is just how we always did it). 

I've always felt that was a security hole.  I thought we plugged it long ago.

....Roy