Am Sonntag, 18. August 2013, 20:59:53 schrieb Reindl Harald: > Am 18.08.2013 20:49, schrieb Eric Covener: > > On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <[email protected]> wrote: > >> for setups that only use virtual hosts, it can be useful to deny > >> requests in the main server context with a meaningful error > >> message. This can make debugging configuration errors much > >> easier. > >> > >> AFAICS, there is no easy way to achieve this. Or did I miss > >> something? Any opinions about adding a new config directive for > >> this purpose? If yes, how should this be named? > >> AllowNonVHostRequests (with a default of 'yes')? > > > > I don't know of any recipe for this, and I think a directive is > > okay. But what would the status be, and how would you override it > > just for this case?
I would make it return status 500 (because its purpose is to catch configuration errors). Not sure I understand what you mean with "how would you override it", though. It would be a global-only setting and would deny all requests where server_rec->is_virtual is 0. > sounds AFAIK similar like > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostc > heck > > and as i understand the proposal if configured for the first and so > default vhost while there is no host-header matchig ServerName > or ServerAlias "403 Forbidden" > > makes IMHO sense, i see a lot of mod_security hits all over our > servers with fantasy-hostnames rejected because other reasons > and a request with a non-configred hostname is most likely > some scanner searching for vulnerabilities Here you want to solve a different problem. My intention is to catch the cases where no <VirtualHost> block matches. For example if you have a Listen 8080 but no <VirtualHost *:8080> and no <VirtualHost *> block. What you mean is to disable the behavior of name based virtual hosts to use the first virtual host matching the requested IP/port as default if none of the ServerNames/ServerAliases matches. That could be a reasonable feature, too, but (except for the log message) this can already be achieved by putting a "require all denied" or "redirect 500 /" into the first (default) vhost. This works because the non- default vhosts don't inherit from the default vhosts. If this is added as a new directive, AllowNonVHostRequests is definitely not the correct name. Maybe AllowNamedVirtualHostFallback or StrictVHostCheck. For my problem, the same solution does not work. If you put a "redirect 500 /" into the global server scope case, all virtual hosts inherit this directive, denying access everywhere (or requiring to explicitly put something into every vhost to override the "require all denied" from the global server scope.
