> Am 24.05.2018 um 14:22 schrieb Yann Ylavic <[email protected]>: > > On Thu, May 24, 2018 at 2:09 PM, Eric Covener <[email protected]> wrote: >> >> Thinking about base server and how scanners report it the "vulnerability"... >> >> AllowUnmatchedHost[name]? >> RejectUnknownHost[name]? > > The one or the other is probably a better name than UseDefaultVHost, > it allows to specify it by vhost (really meaningful on base servers > though) OR globally to avoid using fake base servers in the whole > configuration (when relevant). > Looks good to me.
Like it. For simplicity, I think it should only be global. Using it in the first vhost has the same effect. Using it in a subsequent vhost will have no effect. Does not really make sense, or? So, proposal: RejectUnknownHosts [ on | off ] (Default: off) as core directive. For mod_ssl, it would be good to move its "ssl_find_vhost()" partially into the core. We could add a method AP_DECLARE(server_rec *) ap_vhost_find_server(conn_rec *c, const char *hostname); that returns the match, the base or NULL if rejected. That would remove parts of the vhost matching implementation in mod_ssl and we would not need to expose the core config. WDYT?
