Am 18.08.2013 20:49, schrieb Eric Covener: > On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <[email protected]> wrote: >> for setups that only use virtual hosts, it can be useful to deny >> requests in the main server context with a meaningful error message. >> This can make debugging configuration errors much easier. >> >> AFAICS, there is no easy way to achieve this. Or did I miss something? >> Any opinions about adding a new config directive for this purpose? If >> yes, how should this be named? AllowNonVHostRequests (with a default >> of 'yes')? > > I don't know of any recipe for this, and I think a directive is okay. > But what would the status be, and how would you override it just for > this case?
sounds AFAIK similar like http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck and as i understand the proposal if configured for the first and so default vhost while there is no host-header matchig ServerName or ServerAlias "403 Forbidden" makes IMHO sense, i see a lot of mod_security hits all over our servers with fantasy-hostnames rejected because other reasons and a request with a non-configred hostname is most likely some scanner searching for vulnerabilities
signature.asc
Description: OpenPGP digital signature
