httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Way to disable non-vhost requests?
Date Sun, 18 Aug 2013 18:59:53 GMT


Am 18.08.2013 20:49, schrieb Eric Covener:
> On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
>> for setups that only use virtual hosts, it can be useful to deny
>> requests in the main server context with a meaningful error message.
>> This can make debugging configuration errors much easier.
>>
>> AFAICS, there is no easy way to achieve this. Or did I miss something?
>> Any opinions about adding a new config directive for this purpose? If
>> yes, how should this be named? AllowNonVHostRequests (with a default
>> of 'yes')?
> 
> I don't know of any recipe for this, and I think a directive is okay.
> But what would the status be, and how would you override it just for
> this case?

sounds AFAIK similar like
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck

and as i understand the proposal if configured for the first and so
default vhost while there is no host-header matchig ServerName
or ServerAlias "403 Forbidden"

makes IMHO sense, i see a lot of mod_security hits all over our
servers with fantasy-hostnames rejected because other reasons
and a request with a non-configred hostname is most likely
some scanner searching for vulnerabilities


Mime
View raw message