git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https vhosts


> Am 24.05.2018 um 14:22 schrieb Yann Ylavic <ylavic.dev@xxxxxxxxx>:
> 
> On Thu, May 24, 2018 at 2:09 PM, Eric Covener <covener@xxxxxxxxx> wrote:
>> 
>> Thinking about base server and how scanners report it the "vulnerability"...
>> 
>> AllowUnmatchedHost[name]?
>> RejectUnknownHost[name]?
> 
> The one or the other is probably a better name than UseDefaultVHost,
> it allows to specify it by vhost (really meaningful on base servers
> though) OR globally to avoid using fake base servers in the whole
> configuration (when relevant).
> Looks good to me.

Like it. For simplicity, I think it should only be global. 

Using it in the first vhost has the same effect. Using it 
in a subsequent vhost will have no effect. Does not really make sense, or?

So, proposal:

RejectUnknownHosts [ on | off ]   (Default: off)

as core directive.

For mod_ssl, it would be good to move its "ssl_find_vhost()" partially
into the core. We could add a method

AP_DECLARE(server_rec *) ap_vhost_find_server(conn_rec *c, const char *hostname);

that returns the match, the base or NULL if rejected. That would remove 
parts of the vhost matching implementation in mod_ssl and we would not
need to expose the core config.

WDYT?




( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache2-developers/msg04093.html on line 107
Call Stack
#TimeMemoryFunctionLocation
10.0007363400{main}( ).../msg04093.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache2-developers/msg04093.html on line 107
Call Stack
#TimeMemoryFunctionLocation
10.0007363400{main}( ).../msg04093.html:0