yep, and a 403 triggered by httpd without calling a PHP script would save a lot of ressources if some stupid robots doing a lot of requests
maybe you could use something like that which a previously did
too with a PHP script and LocationMatch
RedirectMatch 404 ^/.*admin-bak/(.*)$
RedirectMatch 404 ^/.*~admin/(.*)$
RedirectMatch 404 ^/.*backups/(.*)$
RedirectMatch 404 ^/.*backup/(.*)$
RedirectMatch 404 ^/.*_backup/(.*)$
... endless list of common searched vulnerable locations ...
Am 18.08.2013 20:59, schrieb Yehuda Katz:
> Just for my own servers, I usually create a default vhost and use mod_rewrite
> to send all requests to this script
> (simplified for post here).
>
> <?php
> header("HTTP/1.1 418 I'm a teapot");
> ?>
> <h1>I'm a teapot.</h1>
> <p>Well actually, I am a server, but I know about as much about what you
> requested as a teapot would. Please
> check your request and try again.</p>
>
>
> Not exactly what you are looking for, but fun.
> It is also easy to find in the logs because NOTHING uses that status.
>
>
> On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi,
>
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?
>
> An alternative would be to expose server_rec->is_virtual in the
> expressoin parser and have the admin add an appropriate <If> section
> to deny access. However this has higher overhead at run time and the
> error message in the log would be less descriptive.
>
> Cheers,
> Stefan
signature.asc
Description: OpenPGP digital signature
