https://bz.apache.org/bugzilla/show_bug.cgi?id=61328
Bug ID: 61328
Summary: provide straightforward option to only respond on
configured hostnames
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Currently, any hostname is accepted by the server, often funnelled into the
first-listed vhost of a set of name-based virtual hosts. Lots of scanners flag
this in combination with UseCanonicalName OFF (default) as a problem.
While it's easy for power users to rig a default vhost to catch these things, I
think it would help usability to make it a first class directive/feature.
I am not sure if it's better to be something like a list of hostnames that
are VH idependent, or just a flag that says the hosts must match a
ServerName/ServerAlias (pushing the handling down into vhost.c).
Probably need to think how an htaccess-only consumer could make use of it. I
think this could have an effect on whether the config is always dependent on
virtual hosts or not.
Could even be a authz provider that read a note set by vhost.c.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
