Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Message-ID: <00a201c4f553$030534a0$55dc9a04@nill>
From: "Leif W" <warp-9.9@usa.net>
To: <users@httpd.apache.org>
References: <crnfis$8j6$1@sea.gmane.org> <41DF49F8.1010002@techquotes.com>
Date: Sat, 8 Jan 2005 02:23:28 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=response
Content-Transfer-Encoding: 7bit
Subject: Re: [users@httpd] Blocking http requests to certain URLs.

>> Christopher J. Bottaro wrote:
>>
>>Hello,
>>I'm very new to Apache and web stuff in general.  Please bare with me.
>>
>>I have my name server setup to route the following URLs to a single IP
>>address:
>>www.mydomain.net
>>ftp.mydomain.net
>>ssh.mydomain.net
>>
>>I want Apache to reject http requests to ftp.mydomain.net and
>>ssh.mydomain.net.  Currently (default Apache setup on Fedora Core 3), 
>>I can

>>put in my webbrowser "http://ssh.mydomain.com" and it will bring me to 
>>my
>>homepage.  I don't want that.
>>
>>Thanks for your help.

What you are asking when you say "reject http requests" sounds like you 
want to disallow a connection at port 80 on your IP, but only if the 
Host header sent by the browser does not match www.mydomain.net.  That 
is the functionality of a firewall at the application level as opposed 
to IP level or packet level.  Apache is a web server, not a firewall. 
Apache must Listen to the IP address and the port.  It can either listen 
or not listen, but not both.  If it doesn't listen, you can't use 
www.mydomain.net:80 either.  If it does listen, it MUST accept the 
request.  Therefore you need to pay attention to what you have Apache do 
AFTER it inspects the request headers and looks at the Host header sent 
by the user agent (web browser, robot, etc.).  This means you need to 
use name based virtual hosting.  Read the documentation about NBVH.

> Aman Raheja; 2005 January 07 Friday 21:48
>
> It sure means you are listening on * and ServerName directive not 
> setup
> Be specific and use the Listen directive wisely, like
> Listen xxx.xxx.xxx.xxx:80
> and use the same on your VirtualHost, if you have one and ServerName 
> directive be
> ServerName www.mydomain.com
> Then only www.mydomain.com will respond.
> Check apache docs for details on the directives.
> HTH
> Aman Raheja

Exactly with some additional detail.  I would repeat the statement about 
reading the docs.  Use the "Directive Quick Reference" and look at the 
directives you will need to accomplish what you want to do.

Listen
NameVirtualHost
VirtualHost
ServerName
ServerAlias
DocumentRoot (your /public directory above)
Directory
CustomLog
ErrorLog
Redirect
RedirectPermanent
RedirectMatch

With Apache, you need to Listen IP:PORT, regardless of the rest of the 
configuration.  With Name Based Virtual Hosting, you declare an IP:PORT 
to be used for name based virtual hosting.  This means that if a request 
comes to IP:80 on your machine, Apache knows that it must look through 
all of the available virtual hosts whose IP:PORT matches the 
<VirtualHost IP:PORT> directives.  For each matching IP:PORT, Apache 
must then see if the string in the Host header sent by the client 
matches the ServerName or any string in the ServerAlias list.  If the 
IP:PORT matches, but no ServerName or ServerAlias matches, then the 
first VirtualHost is used by default.

Depending on what you want to do, you need to set up at least 2 separate 
VirtualHost sections, or 3 if you want to isolate traffic with no Host 
header or a Host header that does not match anything.

Optionally, assuming that you want to isolate non-matching Host header 
(i.e. useful to put all those IP-based virus port probes into a separate 
file), then the first VirtualHost will be a dummy (ServerName default:80 
or dummy:80, no ServerAlias).  You create a separate directory, and 
serve a dummy index.html file, with no content (zero size), or a short 
note such as "This is not here."  You log access and errors separately.

UNIX:
/var/www/default
/var/www/default/public
/var/www/default/logs

Windows:
C:/www/default
C:/www/default/public
C:/www/default/logs

After this the order of VirtualHosts does not matter as much.  But I use 
the convention that I put what I want first, then what I don't want 
later.

The next VirtualHost section will be for the site that exists, and you 
want to serve, www.mydomain.net.  You use a ServerName 
www.mydomain.net:80.  You have your web page files and your log files in 
a separate directory, as outlined above, replacing "default" with your 
ServerName: /var/www/www.mydomain.net/public, etc.  This has nothing to 
do with Apache, just helps you remember which files belong to which 
website.  :)

Now, the final section holds one possible answer to your question.  The 
purpose is to capture ftp.mydomain.net and ssl.mydomain.net and do 
something useful with them.  Set the final VirtualHost's ServerName to 
one, and ServerAlias to the other.  Doesn't really matter which order. 
Just user ServerName host:80 and ServerAlias otherhost.  Now the Host 
header will match, and Apache will proceed to process the request from 
within this context.  What do you want to happen now?  Like the dummy or 
default site, you can chose to server a zero-size file, or a file with a 
short message.  However you probably want the user to be automatically 
sent to www.mydomain.net.  This is handled by a very simple directive 
(Redirect), or a specific variation (RedirectPermanent).  You want to do 
a permanent redirect from / to http://www.mydomain.net/ .

Hey now, some people might suggest skipping all of that, and using one 
VirtualHost with ServerName www.mydomain.net:80 and ServerAlias 
ftp.mydomain.net and sss.mydomain.net.  But the problem with that is now 
you have other people and even robots indexing your site from three 
locations.  If you later try to do statistical processing (stats) on 
your site, you have to add together the three sites, and then subtract 
the people who access more than one location.  It can be a real 
headache, best to avoid.

Some people might also suggest skipping the first optional default, and 
the third, and do NOT add ServerAlias, or just simply skip the dummy 
default.  Then everyone who types in ftp.mydomain.net or 
ssl.mydomain.net into a web browser gets www.mydomain.net sent back to 
them.  This is great, if you only run this one web site.  But if you 
chose to run www.anotherdom.org with similar ftp.anotherdom.org and 
ssl.anotherdom.org host names, and someone types in one of those, they 
get sent to www.mydomain.net and NOT www.anotherdom.org, two unrelated 
sites.  This is not good.  The solution is not scalable.  The best 
advice is to do this little extra work from the beginning, even for one 
site, because you probably will add one or two more when you learn how 
easy it is, and because you will have to do it anyways when you add more 
sites, and if you didn't do it this way first, that's extra time to redo 
it a second time.  :-)

Leif


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org