You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@gmail.com> on 2009/11/29 01:33:34 UTC
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
On Sat, Nov 28, 2009 at 7:23 PM, Carsten Wiedmann <ca...@gmx.de> wrote:
> André Warnier schrieb:
>> So how do you enumerate invalid hosts explicitly then ?
>
> Right, it's a little bit curious, that you can't set 400 with mod_rewrite
> (or header), only 403 (or 410).
In 2.2.x you can probably use [R=400]
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
André Warnier schrieb:
> But is is interesting to see how in the end, a document such as RFC2616
> which is meant to "specify" a relatively strict set of rules, and of
> which I am sure the phrasing is examined carefully and repeatedly (it
> being after all a revision of an earlier document on the same topic),
> still leaves areas open to interpretation, or downright inconsistent.
> What is for example, in this case, a hostname which is /invalid/ on this
> host ?
> If the request reached this host, then it must be that for the DNS
> system, the hostname resolved to one of this physical host's IP
> addresses. In that sense, any HTTP request which reaches the host could
> be deemed to address a valid hostname.
Yes and no. It's always up to the server (or server admin) if it's accepting
a given hostname or not. But if it's not accepting a hostname, it must
return a 400.
Well, there is no directive in Apache httpd to enable such strict hostname
tests and Apache is always accepting all hostnames and is routing this to
the default (v)host. And that's the reason I'm always using the namebased
vhosts from my last post. Even I normally only want have an ip-based vhost
(or no vhosts at all).
BTW: If you want/must deal with IPs in the URIs, just add the IP for that
vhost as ServerAlias to the first regular VirtualHost block.
Regarding DNS:
Well, a normal browser is asking a dns server for the IP, and then is
connecting to that IP and using the servername from the URI for the Host header.
Example:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
| telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.apache.org
|
That's what a normal browser is doing. Well, apache.org is also accepting
all hostnames, and so the next example shows the same homapage:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.microsoft.com
|
Well, I don't want that this happens on my servers, and with a namebased
vhost, a perl script and a rewriterule I have the behavior I want: an error
400 in this case. Also Apache is now only accepting a defined
ServerName/ServerAlias, and not all requests which are possible with a
wildcard dns entry. But be careful with *.foo.com in ServerAlias.
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs
!
Posted by André Warnier <aw...@ice-sa.com>.
Eric Covener wrote:
> On Sat, Nov 28, 2009 at 7:23 PM, Carsten Wiedmann <ca...@gmx.de> wrote:
>> André Warnier schrieb:
>>> So how do you enumerate invalid hosts explicitly then ?
>> Right, it's a little bit curious, that you can't set 400 with mod_rewrite
>> (or header), only 403 (or 410).
>
> In 2.2.x you can probably use [R=400]
>
My original post was more like a jest or a provocation, rather than a
real question.
But is is interesting to see how in the end, a document such as RFC2616
which is meant to "specify" a relatively strict set of rules, and of
which I am sure the phrasing is examined carefully and repeatedly (it
being after all a revision of an earlier document on the same topic),
still leaves areas open to interpretation, or downright inconsistent.
What is for example, in this case, a hostname which is /invalid/ on this
host ?
If the request reached this host, then it must be that for the DNS
system, the hostname resolved to one of this physical host's IP
addresses. In that sense, any HTTP request which reaches the host could
be deemed to address a valid hostname.
Yet the HTTP server listening on that host (and port), may be configured
to accept requests for several specific hostnames, but not the one
mentioned in the request. In that sense, Apache's defaulting to a
"default" host whose name does not match the request hostname would be
in contravention of the RFC. Yet by the same token, Apache's defaulting
to the default host and accepting the request, would seem to make the
request's hostname "valid", since the request is accepted.
So basically, the HTTP RFC obliges the server to send a 400 response for
an invalid host, but what is an invalid host is decided by the server.
Kind of circular as far as arguments go.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org