httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: The SERVER_ADDR environment variable
Date Fri, 11 Apr 2014 13:52:05 GMT

Am 11.04.2014 15:34, schrieb Andre Nathan:
> I'm trying to protect a webserver from DDoS attacks. The plan for this is to not publish
its IP address anywhere
> public. DNS records point to a CDN service like CloudFlare. The CDN will sync to the
webserver via a random entry
> in the zone, making it "undiscoverable".
> The issue I'm facing is that a malicious user would still be able to find the real server
address via Apache's
> SERVER_ADDR environment variable, eg. from a PHP script. I tried using SetEnv / SetEnvIf
to change it's value or
> unset it, but apparently this is not possible. I believe writing a module to do just
that won't work either, since
> as I understand it, the variable is set after all modules are processed.
> Would it be a good idea to allow SERVER_ADDR to optionally not be set? I could work on
a patch to do this if the
> idea is considered valid.

IMHO the wrong or a too complicated way with possible side-effects

* if your IP address is not public reachable it nedds not to be protectcted
* so block any incoming request to that IP from outside
* allow only the rerverse proxy / CDN limited access on the network layer

results in maybe somebody knows the IP which means he does not know
much more than i have and a 192.168.x.x subnet

consider that it needs a malicious user with already access, really interested
in that information, any clue what do with that information and finally if
knowing a specific IP address opens whatever attack the problem is on a
deeper level because even place it on the homepage should not do any harm

otherwise all servers out there with their real IP in DNS would have a problem

View raw message