httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Canavan <rainer.cana...@sevenval.com>
Subject Re: [users@httpd] 2.4 named virtual hosts question
Date Mon, 12 Sep 2016 09:03:02 GMT
>> <VirtualHost *:80>
>>     ServerName default
>>
>>     <Directory />
>>         AllowOverride none
>>         Order Allow,Deny
>>         Require all denied
>>     </Directory>
>> </VirtualHost>
[...]

I'm not 100% sure, but that may not deny access to absolutely everything,
in case you have global
directives such as cgi aliases or proxy constructs, possibly with
mod_rewrite and [P] which point
to non-directory resources.

Therefore it may be better to use <Location> instead of <Directory>.

Additionally, if you bind any further vhosts to specific IP addresses, e.g.
<VirtualHost 192.0.2.1:80>, then that virtualhost will have precedence for
requests to 192.0.2.1:80 over the *:80 virtualhost.

Overall, I'd say that such a construct is more likely to increase the
attack surface
instead of reducing it.

rainer

Mime
View raw message