At $dayjob I am seeing a lot of users running scans that flag any HTTP
response that incorporates the Host header into the response as
"vulnerable", even if the host is syntactically valid.

AIUI the standard solution is to create a default NVH for each
host:port combo to trap unknowns and use it to return an error.  But
this is a lot of work.  Rewrite has its own baggage (add it global,
add it to each VH, add it before other rewrites)

(things like proxy and CGI/PHP mean UseCanonicalName is insufficient)

Nothing currently crawls all ServerName/ServerAlias, becuase we always
select the best IP-based match firs then compare strings from the

Is anyone else interested in another way to configure this? Would you
want to crawl all servername/serveralias when enabled or pass in a
separate whitelist to a new directive?  With the latter, you could at
least make sure the e.g. * showed up without checking the
gory details.

Eric Covener

Reply via email to