httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] 2.4 named virtual hosts question
Date Mon, 12 Sep 2016 13:21:26 GMT
On 12/09/16 15:25, Rainer Canavan wrote:
>
> However, in this example, you'd add a virtualhost that may expose
> globally configured resources without the individual access controls of
> the "real" vhosts. On top of that, the additional vhost may not see any
> significant testing in case of configuration changes.
I don't get it, can you please provide an example? IMO any additional 
vhosts should not depend at all on what's inside this vhost.

>
> Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that
> checks the Host: header.
You mean, outside any virtualhost? Why do you think it's better? Initial 
problem was default virtualhost -- I want none. Your method only 
protects from absence of Host header, not from incorrect Host header, 
SNI etc. IMO presupposing Apache vhost selection is bad solution here.

> If you're really serious, you'd also have to make sure that any error messages
> don't contain the hostname, and you'd have to set reverse DNS lookups to
> point to a useless name.
I did.

> Overall I'd say that the negligible gain in
> perceived security isn't worth the effort or the additional risks
> (both regarding security and availability).
Well, for one thing log messages from actual vhosts and from internet 
scans are separated, this alone saves a lot of time.

--

With Best Regards,
Marat Khalili

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message