Way to disable non-vhost requests?

[Stefan Fritsch <sf...@sfritsch.de>]

Hi,

for setups that only use virtual hosts, it can be useful to deny 
requests in the main server context with a meaningful error message. 
This can make debugging configuration errors much easier.

AFAICS, there is no easy way to achieve this. Or did I miss something? 
Any opinions about adding a new config directive for this purpose? If 
yes, how should this be named? AllowNonVHostRequests (with a default 
of 'yes')?

An alternative would be to expose server_rec->is_virtual in the 
expressoin parser and have the admin add an appropriate <If> section 
to deny access. However this has higher overhead at run time and the 
error message in the log would be less descriptive.

Cheers,
Stefan

Re: Way to disable non-vhost requests?

[Yehuda Katz <ye...@ymkatz.net>]

Plenty of admins disable the default Debian cost anyway, so I don't see
this as a problem as long as it is properly documented (maybe even on the
"error page" itself).

- Y

On Sunday, September 1, 2013, Stefan Fritsch wrote:

> Am Montag, 19. August 2013, 08:26:57 schrieb Rainer Jung:
> > On 18.08.2013 18:55, Stefan Fritsch wrote:
> > > for setups that only use virtual hosts, it can be useful to deny
> > > requests in the main server context with a meaningful error
> > > message. This can make debugging configuration errors much
> > > easier.
> > >
> > > AFAICS, there is no easy way to achieve this. Or did I miss
> > > something? Any opinions about adding a new config directive for
> > > this purpose? If yes, how should this be named?
> > > AllowNonVHostRequests (with a default of 'yes')?
> > >
> > > An alternative would be to expose server_rec->is_virtual in the
> > > expressoin parser and have the admin add an appropriate <If>
> > > section to deny access. However this has higher overhead at run
> > > time and the error message in the log would be less descriptive.
> >
> > I might have overlooked something stupid, but why not using a
> > _default_ vhost and disabling all requests there? I thought it
> > would be a catchall and its config is not being merged to the other
> > vhosts.
>
> True, I didn't think of that. _default_ is gone in 2.4, but * should
> work. I was looking for something to use in the Debian default
> configuration, though, and there it should be still be possible for
> the admin to easily use a "<VirtualHost *>" if he wants. But maybe
> that would still work if I put my catch-config-errors vhost after the
> virtual hosts configured by the admin. I will have to check.
>
>

-- 
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.

Re: Way to disable non-vhost requests?

[Igor Galić <i....@brainsware.org>]

----- Original Message -----
> Am Montag, 19. August 2013, 08:26:57 schrieb Rainer Jung:
> > On 18.08.2013 18:55, Stefan Fritsch wrote:
> > > for setups that only use virtual hosts, it can be useful to deny
> > > requests in the main server context with a meaningful error
> > > message. This can make debugging configuration errors much
> > > easier.
> > > 
> > > AFAICS, there is no easy way to achieve this. Or did I miss
> > > something? Any opinions about adding a new config directive for
> > > this purpose? If yes, how should this be named?
> > > AllowNonVHostRequests (with a default of 'yes')?
> > > 
> > > An alternative would be to expose server_rec->is_virtual in the
> > > expressoin parser and have the admin add an appropriate <If>
> > > section to deny access. However this has higher overhead at run
> > > time and the error message in the log would be less descriptive.
> > 
> > I might have overlooked something stupid, but why not using a
> > _default_ vhost and disabling all requests there? I thought it
> > would be a catchall and its config is not being merged to the other
> > vhosts.
> 
> True, I didn't think of that. _default_ is gone in 2.4, but * should
> work. I was looking for something to use in the Debian default
> configuration, though, and there it should be still be possible for
> the admin to easily use a "<VirtualHost *>" if he wants. But maybe
> that would still work if I put my catch-config-errors vhost after the
> virtual hosts configured by the admin. I will have to check.
> 
> 

… because _default_ never was a default vhost anyway.
What I do is try to conform to HTTP and make the default vhost send 400
usually like so:

    <VirtualHost *>
        RedirectMatch 400 ^/(?!error/).* /
    </VirtualHost>


unless I have mod_security installed, that takes care of it as well.

-- i
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE

Re: Way to disable non-vhost requests?

[Stefan Fritsch <sf...@sfritsch.de>]

Am Montag, 19. August 2013, 08:26:57 schrieb Rainer Jung:
> On 18.08.2013 18:55, Stefan Fritsch wrote:
> > for setups that only use virtual hosts, it can be useful to deny
> > requests in the main server context with a meaningful error
> > message. This can make debugging configuration errors much
> > easier.
> > 
> > AFAICS, there is no easy way to achieve this. Or did I miss
> > something? Any opinions about adding a new config directive for
> > this purpose? If yes, how should this be named?
> > AllowNonVHostRequests (with a default of 'yes')?
> > 
> > An alternative would be to expose server_rec->is_virtual in the
> > expressoin parser and have the admin add an appropriate <If>
> > section to deny access. However this has higher overhead at run
> > time and the error message in the log would be less descriptive.
> 
> I might have overlooked something stupid, but why not using a
> _default_ vhost and disabling all requests there? I thought it
> would be a catchall and its config is not being merged to the other
> vhosts.

True, I didn't think of that. _default_ is gone in 2.4, but * should 
work. I was looking for something to use in the Debian default 
configuration, though, and there it should be still be possible for 
the admin to easily use a "<VirtualHost *>" if he wants. But maybe 
that would still work if I put my catch-config-errors vhost after the 
virtual hosts configured by the admin. I will have to check.

Re: Way to disable non-vhost requests?

[Rainer Jung <ra...@kippdata.de>]

On 18.08.2013 18:55, Stefan Fritsch wrote:
> for setups that only use virtual hosts, it can be useful to deny 
> requests in the main server context with a meaningful error message. 
> This can make debugging configuration errors much easier.
> 
> AFAICS, there is no easy way to achieve this. Or did I miss something? 
> Any opinions about adding a new config directive for this purpose? If 
> yes, how should this be named? AllowNonVHostRequests (with a default 
> of 'yes')?
> 
> An alternative would be to expose server_rec->is_virtual in the 
> expressoin parser and have the admin add an appropriate <If> section 
> to deny access. However this has higher overhead at run time and the 
> error message in the log would be less descriptive.

I might have overlooked something stupid, but why not using a _default_
vhost and disabling all requests there? I thought it would be a catchall
and its config is not being merged to the other vhosts.

Regards,

Rainer

Re: Way to disable non-vhost requests?

[Stefan Fritsch <sf...@sfritsch.de>]

Am Sonntag, 18. August 2013, 20:59:53 schrieb Reindl Harald:
> Am 18.08.2013 20:49, schrieb Eric Covener:
> > On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> 
wrote:
> >> for setups that only use virtual hosts, it can be useful to deny
> >> requests in the main server context with a meaningful error
> >> message. This can make debugging configuration errors much
> >> easier.
> >> 
> >> AFAICS, there is no easy way to achieve this. Or did I miss
> >> something? Any opinions about adding a new config directive for
> >> this purpose? If yes, how should this be named?
> >> AllowNonVHostRequests (with a default of 'yes')?
> > 
> > I don't know of any recipe for this, and I think a directive is
> > okay. But what would the status be, and how would you override it
> > just for this case?

I would make it return status 500 (because its purpose is to catch 
configuration errors). Not sure I understand what you mean with "how 
would you override it", though. It would be a global-only setting and 
would deny all requests where server_rec->is_virtual is 0.


> sounds AFAIK similar like
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostc
> heck
> 
> and as i understand the proposal if configured for the first and so
> default vhost while there is no host-header matchig ServerName
> or ServerAlias "403 Forbidden"
>
> makes IMHO sense, i see a lot of mod_security hits all over our
> servers with fantasy-hostnames rejected because other reasons
> and a request with a non-configred hostname is most likely
> some scanner searching for vulnerabilities

Here you want to solve a different problem. My intention is to catch 
the cases where no <VirtualHost> block matches. For example if you 
have a Listen 8080 but no <VirtualHost *:8080> and no <VirtualHost *> 
block.

What you mean is to disable the behavior of name based virtual hosts 
to use the first virtual host matching the requested IP/port as 
default if none of the ServerNames/ServerAliases matches. That could 
be a reasonable feature, too, but (except for the log message) this 
can already be achieved by putting a "require all denied" or "redirect 
500 /" into the first (default) vhost. This works because the non-
default vhosts don't inherit from the default vhosts. If this is added 
as a new directive, AllowNonVHostRequests is definitely not the 
correct name. Maybe AllowNamedVirtualHostFallback or StrictVHostCheck.

For my problem, the same solution does not work. If you put a 
"redirect 500 /" into the global server scope case, all virtual hosts 
inherit this directive, denying access everywhere (or requiring to 
explicitly put something into every vhost to override the "require all 
denied" from the global server scope.

Re: Way to disable non-vhost requests?

[Reindl Harald <h....@thelounge.net>]

Am 18.08.2013 20:49, schrieb Eric Covener:
> On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
>> for setups that only use virtual hosts, it can be useful to deny
>> requests in the main server context with a meaningful error message.
>> This can make debugging configuration errors much easier.
>>
>> AFAICS, there is no easy way to achieve this. Or did I miss something?
>> Any opinions about adding a new config directive for this purpose? If
>> yes, how should this be named? AllowNonVHostRequests (with a default
>> of 'yes')?
> 
> I don't know of any recipe for this, and I think a directive is okay.
> But what would the status be, and how would you override it just for
> this case?

sounds AFAIK similar like
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck

and as i understand the proposal if configured for the first and so
default vhost while there is no host-header matchig ServerName
or ServerAlias "403 Forbidden"

makes IMHO sense, i see a lot of mod_security hits all over our
servers with fantasy-hostnames rejected because other reasons
and a request with a non-configred hostname is most likely
some scanner searching for vulnerabilities

Re: Way to disable non-vhost requests?

[Eric Covener <co...@gmail.com>]

On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> Hi,
>
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?

I don't know of any recipe for this, and I think a directive is okay.
But what would the status be, and how would you override it just for
this case?

Re: Way to disable non-vhost requests?

[Reindl Harald <h....@thelounge.net>]

yep, and a 403 triggered by httpd without calling a PHP script would
save a lot of ressources if some stupid robots doing a lot of requests

maybe you could use something like that which a previously did
too with a PHP script and LocationMatch
RedirectMatch 404 ^/.*admin-bak/(.*)$
RedirectMatch 404 ^/.*~admin/(.*)$
RedirectMatch 404 ^/.*backups/(.*)$
RedirectMatch 404 ^/.*backup/(.*)$
RedirectMatch 404 ^/.*_backup/(.*)$
... endless list of common searched vulnerable locations ...

Am 18.08.2013 20:59, schrieb Yehuda Katz:
> Just for my own servers, I usually create a default vhost and use mod_rewrite to send all requests to this script
> (simplified for post here).
> 
>     <?php
>     header("HTTP/1.1 418 I'm a teapot");
>     ?>
>     <h1>I'm a teapot.</h1>
>     <p>Well actually, I am a server, but I know about as much about what you requested as a teapot would. Please
>     check your request and try again.</p>
> 
> 
> Not exactly what you are looking for, but fun.
> It is also easy to find in the logs because NOTHING uses that status.
> 
> 
> On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf@sfritsch.de <ma...@sfritsch.de>> wrote:
> 
>     Hi,
> 
>     for setups that only use virtual hosts, it can be useful to deny
>     requests in the main server context with a meaningful error message.
>     This can make debugging configuration errors much easier.
> 
>     AFAICS, there is no easy way to achieve this. Or did I miss something?
>     Any opinions about adding a new config directive for this purpose? If
>     yes, how should this be named? AllowNonVHostRequests (with a default
>     of 'yes')?
> 
>     An alternative would be to expose server_rec->is_virtual in the
>     expressoin parser and have the admin add an appropriate <If> section
>     to deny access. However this has higher overhead at run time and the
>     error message in the log would be less descriptive.
> 
>     Cheers,
>     Stefan

Re: Way to disable non-vhost requests?

[Yehuda Katz <ye...@ymkatz.net>]

Just for my own servers, I usually create a default vhost and use
mod_rewrite to send all requests to this script (simplified for post here).

<?php
> header("HTTP/1.1 418 I'm a teapot");
> ?>
> <h1>I'm a teapot.</h1>
> <p>Well actually, I am a server, but I know about as much about what you
> requested as a teapot would. Please check your request and try again.</p>


Not exactly what you are looking for, but fun.
It is also easy to find in the logs because NOTHING uses that status.

- Y


On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:

> Hi,
>
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?
>
> An alternative would be to expose server_rec->is_virtual in the
> expressoin parser and have the admin add an appropriate <If> section
> to deny access. However this has higher overhead at run time and the
> error message in the log would be less descriptive.
>
> Cheers,
> Stefan
>
>