httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] 2.4 named virtual hosts question
Date Mon, 12 Sep 2016 09:38:06 GMT
On 12/09/16 12:03, Rainer Canavan wrote:

> I'm not 100% sure, but that may not deny access to absolutely 
> everything, in case you have global
> directives such as cgi aliases or proxy constructs, possibly with 
> mod_rewrite and [P] which point
> to non-directory resources.
>
> Therefore it may be better to use <Location> instead of <Directory>.
Thanks for noticing! Of course all other directives are supposed to be 
within virtualhosts, but worth changing just to be extra sure.

> Additionally, if you bind any further vhosts to specific IP addresses, 
> e.g.
> <VirtualHost 192.0.2.1:80 <http://192.0.2.1:80>>, then that 
> virtualhost will have precedence for
> requests to 192.0.2.1:80 <http://192.0.2.1:80> over the *:80 virtualhost.
In this case you'll have create separate default deny configuration for 
each IP address, right?

> Overall, I'd say that such a construct is more likely to increase the 
> attack surface
> instead of reducing it.
I don't think _denying_ something can _increase_ attack surface. But 
since there's seemingly demand for this kind of configuration it'd be 
nice if community helped make it better and more secure. What extra 
steps do you think one should take to securely deny (and subsequently 
ban) clients (mostly bots) that do not even know domain name they are 
accessing?

--

With Best Regards,
Marat Khalili


Mime
View raw message