httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [users@httpd] Reject request with incorrect HOST header...
Date Tue, 09 Sep 2008 04:11:24 GMT

Have come across a security issue and one of the reason is Apache allowing serving of request
with incorrect HOST header.

Question in short:

Is there an Apache Directive which will reject request with incorrect or missing HOST header
?  I mean if my Apache is serving, reject all request coming to that IP address
and port using any other hostname. Meaning reject or or or

And second, why would Apache allow that in the first place, especially if we are not using
NameBased VHosting.


Let say, I have a few IP based VHOSTs proxying content from the backend.

#No Forward Proxy
ProxyRequest Off

# server One
ProxyPass /all
ProxyPassReverse /all

We have a gate-keeper which checks incoming request for domain name and prompts
them for Authentication.

Now, if I make a host file change on my local  (client) computer such that

And then if I point my browser to, I am in w/o any challenge.  Apache ignores
the HOST header and the gate-keeper lets it go as it is only protecting

Well, we had patched the GateKeeper for the above problem few years back, but today a similar
issue has come to our notice where by a hacker can point to one of our server IP address as
a Proxy Server address in their browser. Once again Apache simply ignored the HOST header
in the request and this time, it  confused the gate-keeper s/w too and let the request through
w/o Authentication.

I want to keep this post simple and hence skip the details, I know we have a problem with
the gate-keeper s/w and will open up a case with them, but wished there was a Apache directive
which would simply reject Requests with non-matching HOST.

Thank you

View raw message