[EMAIL PROTECTED] wrote:
Hello,
Have come across a security issue and one of the reason is Apache allowing
serving of request with incorrect HOST header.
Question in short:
Is there an Apache Directive which will reject request with incorrect or
missing HOST header ? I mean if my Apache is serving one.xyz.com, reject all
request coming to that IP address and port using any other hostname. Meaning
reject 1.xyz.com or one.abc.com or 2.xyz.com or two.xyz.com.
And second, why would Apache allow that in the first place, especially if we
are not using NameBased VHosting.
[...]
I'll try an answer for you, based on my own understanding of HTTP and
Apache matters.
I believe that this is not a security issue. It is just the way in
which DNS and HTTP work, and are supposed to work.
First your second question :
Apache allows that, because that is the way HTTP is supposed to work.
Basically, if your are not using name-based virtual hosting, then the
httpd server does not care about the human-readable (DNS) name that you
used to send the HTTP request to this particular HTTP server host. It
gets a HTTP request on its listening IP address and port, so it answers.
In other words, the webserver gets the "Host:" header sent by the
browser, but it just ignores it. And that is the way it is supposed to work.
Now about your first question (how to reject requests with the "wrong"
host name) :
The easiest way that I can think of, and without changing anything on
your front-end, is to set up your server to *do* name-based virtual
hosting, as follows :
- define a first Virtual Host with some ServerName that does not exist
in the DNS. Because that is the first defined Virtual Host, it will
serve as a default for all HTTP requests that either have no "Host:"
header, or where the "Host:" header contains something that Apache
cannot match with a specific defined virtual host.
- then define a second Virtual Host with the ServerName that you want to
allow. This one will handle all request that *do* have the correct
hostname.
In the configuration of the first Virtual Host (the default one), set
your permissions so that everything is forbidden. Like
<VirtualHost *:80>
ServerName forbidden.local
DocumentRoot /var/www/forbidden
<Directory /var/www/forbidden>
Deny from all
</Directory>
</VirtualHost>
In the configuration of the second virtual host (the real one), set the
permissions normally.
<VirtualHost *:80>
ServerName myrealhost.mydomain.com
DocumentRoot /var/www/myrealhost
<Directory /var/www/myrealhost>
Allow from all
</Directory>
etc..
</VirtualHost>
This second VirtualHost will answer *only* for requests that are
specifically directed to the hostname "myrealhost.mydomain.com".
All other requests will, by default, be processed by the first
VirtualHost (and rejected).
You can then, if you want, set the ErrorDocument of the first virtual
host in such a way that it tells people to use the correct name.
Hope this helps
André
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
