There has to be some configuration Apache will use if it cannot match
any virtualhost; or, if no hostname is specified by client. You can make
a configuration that denies access in this case, and put it before
others. That's what I use:
<VirtualHost *:80>
ServerName default
<Directory />
AllowOverride none
Order Allow,Deny
Require all denied
</Directory>
</VirtualHost>
SSLStrictSNIVHostCheck on
<VirtualHost *:443>
ServerName default
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<Directory />
AllowOverride none
Order Allow,Deny
Require all denied
</Directory>
</VirtualHost>
Works great in pair with fail2ban ;)
--
With Best Regards,
Marat Khalili
On 12/09/16 04:43, Ronald F. Guilmette wrote:
A simple question. Sorry if this is an FAQ.
I'm just bringing up a fresh VM system that I plan to move my small
handful of web sites to.
I'v so far managed to mostly get apache24 installed and configured.
I've moved all of my web sites over to the new system, and it mostly
all seems to be working, but I ran the "httpd -S" command to see
if that would detect any goof-ups on my part. (It did, but I already
fixed those.)
Now when I run "httpd -S" I am seeing in the output:
===============================================================================
VirtualHost configuration:
*:* is a NameVirtualHost
default server tristatelogic.com
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:40)
port * namevhost tristatelogic.com
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:40)
alias www.tristatelogic.com
port * namevhost 47-usc-230c2.org
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:69)
alias www.47-usc-230c2.org
port * namevhost sordid-details.com
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:94)
alias www.sordid-details.com
...
===============================================================================
I have three domains that I want to serve (as vhosts) from this newly
installed server, and all three are mentioned above. But the part I don't
get (and don't really want) is all that stuff about a default (*:*)
server/service. How can I get rid of that while still providing service
for my three vhosts?
(Note: People may say: "Oh, just leave it. It isn't really any
problem to just leave it." But I'm paranoid about security, so I'm
always inclined to minimize my attack surface as much as possible.)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
