httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Canavan <rainer.cana...@sevenval.com>
Subject Re: [users@httpd] 2.4 named virtual hosts question
Date Mon, 12 Sep 2016 15:47:05 GMT
On Mon, Sep 12, 2016 at 3:21 PM, Marat Khalili <mkh@rqc.ru> wrote:
> On 12/09/16 15:25, Rainer Canavan wrote:
>>
>>
>> However, in this example, you'd add a virtualhost that may expose
>> globally configured resources without the individual access controls of
>> the "real" vhosts. On top of that, the additional vhost may not see any
>> significant testing in case of configuration changes.
>
> I don't get it, can you please provide an example? IMO any additional vhosts
> should not depend at all on what's inside this vhost.

The obvious ones I can come up with would be Alias, ScriptAlias,
FastCGIExternalServer,
Action and RewriteRule. All those can be defined in the global context
(i.e. outside
of any vhost) and are valid for all vhosts. (for RewriteRule, that may require
RewriteOptions Inherit), all others simply apply to all vhosts.

>> Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that
>> checks the Host: header.
>
> You mean, outside any virtualhost? Why do you think it's better? Initial
> problem was default virtualhost -- I want none.

that's exaclty what I'm saying. A default vhost has the potential to add
more problems than it can ever solve.

[...]

>> Overall I'd say that the negligible gain in
>> perceived security isn't worth the effort or the additional risks
>> (both regarding security and availability).
>
> Well, for one thing log messages from actual vhosts and from internet scans
> are separated, this alone saves a lot of time.

Finally, an actual, measurable benefit, although it only filters out the
not-too-smart scanners.

rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message