[fossil-users] Limiting HTTP/1.1 host

Thu, 30 Apr 2015 07:37:45 -0700 

Seems I have a lot of people trying to access my repository who have no
business doing so:

[andy@toaster|~/fossil]$ fossil info myprojectname.fossil
access-url: http://                            2015-02-23
access-url: http://216.114.41.8                2015-02-23
access-url: http://216.114.41.8:80             2015-03-05
access-url: http://24x7-allrequestsallowed.com 2015-04-01
access-url: http://5.61.43.116                 2015-04-02
access-url: http://66.160.219.98               2015-03-06
access-url: http://66.160.219.98:80            2015-03-09
access-url: http://dns.cloud.ph                2015-03-10
access-url: http://google.com                  2015-02-24
access-url: http://httpheader.net              2015-03-23
access-url: http://s1.bdstatic.com             2015-04-24
access-url: http://testp1.piwo.pila.pl         2015-04-08
access-url: http://testp3.pospr.waw.pl         2015-03-05
access-url: http://testp4.pospr.waw.pl         2015-03-10
access-url: http://toaster                     2015-02-23
access-url: http://toaster.x.                  2015-02-23
access-url: http://un.is-a-geek.com            2015-03-30
access-url: http://un.is-a-geek.com:8080       2015-03-14
access-url: http://www.baidu.com               2015-02-24
access-url: http://www.teddybrinkofski.com     2015-03-13

Only one of these is valid.  Most likely, they're cycling through ranges
of addresses to see which listen on port 80, and if open, send dummy
HTTP headers to check if the response indicates a server with known
security vulnerabilities.

I'd like to limit access based on the HTTP/1.1 Host: header.  If Host:
isn't un.is-a-geek.com or un.is-a-geek.com. (note final period) then
just drop the connection.

A further refinement would be virtual hosting in which different Host:
values map to different repositories.  I don't need this feature, but
others might.

If it's not already clear, this particular repository should only be
accessible to a handful of people.  Anonymous access is already
disabled, but I ought to do SSL to shut out anyone sniffing the network.
 However, the server uses a 350MHz PII with 256MB RAM, so this might be
tight.

-- 
Andy Goth | <andrew.m.goth/at/gmail/dot/com>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Reply via email to