https://issues.apache.org/bugzilla/show_bug.cgi?id=56395
Bug ID: 56395
Summary: Allow SERVER_ADDR environment variable to be
optionally undisclosed
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
Created attachment 31516
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31516&action=edit
Allow SERVER_ADDR to be undisclosed via a core directive
It may be useful to not disclose the web server's IP address to scripts running
on the server. My use case for this is to aid in protection agains DDoS
attacks, where a website's DNS zone is set up such that the server address is
not published in a "guessable" way (eg. by pointing to a CDN provider and using
a random DNS entry for sync'ing between the CDN and the server).
The attached patches implement this. The first one does that via a code
configuration directive. In that case, if the user sets "ExportServerAddr Off",
then the SERVER_ADDR environment variable will not be passed to scripts.
The second patch does the same, but using environment variables instead. In
that case the user has to set "PassEnv HIDE_SERVER_ADDR" and then define this
variable in the shell (eg. export HIDE_SERVER_ADDR=1). To revert to the default
behavior, one only has to unset the variable (eg. unset HIDE_SERVER_ADDR).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
