httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Nathan <>
Subject The SERVER_ADDR environment variable
Date Fri, 11 Apr 2014 13:34:10 GMT

I'm trying to protect a webserver from DDoS attacks. The plan for this is
to not publish its IP address anywhere public. DNS records point to a CDN
service like CloudFlare. The CDN will sync to the webserver via a random
entry in the zone, making it "undiscoverable".

The issue I'm facing is that a malicious user would still be able to find
the real server address via Apache's SERVER_ADDR environment variable, eg.
from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or
unset it, but apparently this is not possible. I believe writing a module
to do just that won't work either, since as I understand it, the variable
is set after all modules are processed.

Would it be a good idea to allow SERVER_ADDR to optionally not be set? I
could work on a patch to do this if the idea is considered valid.

Thanks in advance,

View raw message