Ross L Richardson([email protected]) on 2020.08.09 20:07:11 +1000:
>
> At present, if a request contains no "Host:" header [HTTP pre-1.1] or
> if the supplied header does not match any of the servers configured
> in httpd.conf, the request is directed to the first server. This
> isn't documented, AFAICT.
>
> For example, if httpd.conf has just one server
> server "www.example.com"
> then we currently get
> $ printf "HEAD / HTTP/1.0\r\nHost: www.openbsd.org\r\n\r\n" \
> | nc www.example.com www | sed 1q
> HTTP/1.0 200 OK
>
> This behaviour strikes me as wrong (or at least sub-optimal) in the
> case of non-matching "Host:" headers. The simplistic patch below
> changes things to return a 404 status if no matching server is found.
>
> [If status code 400 (bad request) is preferred, "goto fail;"
> could be used.]
>
> Justification:
> - This seems more correct, and is consistent with the "fail closed"
> approach.
In which way can the current behaviour cause problems?
I dont think we should treat Host: headers as secrets, so there is no
information leakage or such a thing.
The downside of changing this is possible breakage in existing configs,
that should be avoided.
> - There is a net gain in functionality, as use of glob/patterns
> wildcards can easily re-establish the current behaviour. In
> contrast, there's no way at present to disable the implicit
> match-anything behaviour.
As jca@ shows the first host can be a dummy.
I kind of think that this is a documentation problem, we should docuemnt
this in the manpage and maybe example config:
diff --git etc/examples/httpd.conf etc/examples/httpd.conf
index fee8d607e90..67eb075eb3e 100644
--- etc/examples/httpd.conf
+++ etc/examples/httpd.conf
@@ -1,5 +1,11 @@
# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $
+# define a default server, to produce 404 responses for unknown hosts.
+server "default" {
+ listen on * port 80
+ root "/nonexistant"
+}
+
server "example.com" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
diff --git usr.sbin/httpd/httpd.conf.5 usr.sbin/httpd/httpd.conf.5
index 02b4442693b..45780cab78b 100644
--- usr.sbin/httpd/httpd.conf.5
+++ usr.sbin/httpd/httpd.conf.5
@@ -660,6 +660,12 @@ It is possible to set
to default to use the httpd default timeout of 2 hours.
.El
.El
+.Pp
+The first
+.Ic server
+section defines an implicit default for all requests that are not served by
other
+.Ic server
+declarations.
.Sh TYPES
Configure the supported media types.
.Xr httpd 8
