httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Reject request with incorrect HOST header...
Date Tue, 09 Sep 2008 07:29:08 GMT
jdrnb007-0@yahoo.com wrote:
> Hello, 
> 
> Have come across a security issue and one of the reason is Apache allowing serving of
request with incorrect HOST header.
> 
> Question in short:
> 
> Is there an Apache Directive which will reject request with incorrect or missing HOST
header ?  I mean if my Apache is serving one.xyz.com, reject all request coming to that IP
address and port using any other hostname. Meaning reject 1.xyz.com or one.abc.com or 2.xyz.com
or two.xyz.com.
> 
> And second, why would Apache allow that in the first place, especially if we are not
using NameBased VHosting.
> 
[...]
I'll try an answer for you, based on my own understanding of HTTP and 
Apache matters.

I believe that this is not a security issue.  It is just the way in 
which DNS and HTTP work, and are supposed to work.

First your second question :
Apache allows that, because that is the way HTTP is supposed to work. 
Basically, if your are not using name-based virtual hosting, then the 
httpd server does not care about the human-readable (DNS) name that you 
used to send the HTTP request to this particular HTTP server host.  It 
gets a HTTP request on its listening IP address and port, so it answers. 
  In other words, the webserver gets the "Host:" header sent by the 
browser, but it just ignores it. And that is the way it is supposed to work.

Now about your first question (how to reject requests with the "wrong" 
host name) :
The easiest way that I can think of, and without changing anything on 
your front-end, is to set up your server to *do* name-based virtual 
hosting, as follows :

- define a first Virtual Host with some ServerName that does not exist 
in the DNS.  Because that is the first defined Virtual Host, it will 
serve as a default for all HTTP requests that either have no "Host:" 
header, or where the "Host:" header contains something that Apache 
cannot match with a specific defined virtual host.

- then define a second Virtual Host with the ServerName that you want to 
allow.  This one will handle all request that *do* have the correct 
hostname.

In the configuration of the first Virtual Host (the default one), set 
your permissions so that everything is forbidden. Like

<VirtualHost *:80>
ServerName forbidden.local
DocumentRoot /var/www/forbidden
<Directory /var/www/forbidden>
Deny from all
</Directory>
</VirtualHost>

In the configuration of the second virtual host (the real one), set the 
permissions normally.
<VirtualHost *:80>
ServerName myrealhost.mydomain.com
DocumentRoot /var/www/myrealhost
<Directory /var/www/myrealhost>
Allow from all
</Directory>
etc..
</VirtualHost>

This second VirtualHost will answer *only* for requests that are 
specifically directed to the hostname "myrealhost.mydomain.com".
All other requests will, by default, be processed by the first 
VirtualHost (and rejected).
You can then, if you want, set the ErrorDocument of the first virtual 
host in such a way that it tells people to use the correct name.

Hope this helps
André



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message