www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: config/2005: Incorrect Virtual Servers
Date Thu, 09 Apr 1998 20:50:01 GMT
The following reply was made to PR config/2005; it has been noted by GNATS.

From: Dean Gaudet <dgaudet@arctic.org>
To: Oliver von Bueren <ovb@ovb.ch>
Cc: al@shatz.co.uk, apbugs@Apache.Org
Subject: Re: config/2005: Incorrect Virtual Servers
Date: Thu, 9 Apr 1998 13:49:16 -0700 (PDT)

 On Thu, 9 Apr 1998, Oliver von Bueren wrote:
 
 > hosts
 > bind
 > 
 > and in the hosts there was the "wrong" ip address entered. The address
 > there was .144, which is the primary address for this machine (FreeBSD
 > 2.1.7 by the way). The DNS has .145, which all the other mentioned
 > vhost have too. 
 
 Yup this is the bug then, it's a configuration problem... you'll need to
 fix that dns.  (That's why I asked about it). 
 
 > >(I'm still looking for other possibilities.)
 > I still see it as a strange behavor in Apache 1.2.6 and definitly
 > different that 1.2.5.
 
 It's definately different, it was deliberately changed for security
 reasons.  Suppose that one of the addresses had been 10.0.0.1 and only
 supposed to be accessed via your local network, and not from the wild
 internet (i.e. filtered at your router).  Apache prior to 1.2.6 (and prior
 to 1.3b1 I think it was) would happily let you access hosts that were
 bound to other IP addresses.  Here's the CHANGES entry:
 
   *) SECURITY: When a client connects to a particular port/addr, and
      gives a Host: header ensure that the virtual host requested can
      actually be reached via that port/addr.  [Ed Korthof <ed@organic.com>]
 
 
 > The .144 is a valid address for this host and
 > Apache does listen to that IP too. Another very strange this is, that
 > if I make a request to the IP address itself, http://195.65.24.144, I
 > don't end up at www.ovb.ch, but the default page for that IP address,
 > which is not a virtual host but the "global" page as defined by
 > ServerRoot outside any VirtualHost. So if Apache only checks
 > VirtualHosts for .144, it shoud have returned the main documents for
 > the server and not www.ovb.ch.
 
 I'd need more of the config to know if this is wrong.  Usually you want to
 put in a _default_ virtual host to control access to otherwise unspecified
 IP addresses.  It could just be one of the other brokennesses of pre 1.3
 vhosts... and unlikely to be fixed (since it's all rewritten in 1.3
 anyhow).
 
 Dean
 

Mime
View raw message