You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2013/08/18 18:55:35 UTC
Way to disable non-vhost requests?
Hi,
for setups that only use virtual hosts, it can be useful to deny
requests in the main server context with a meaningful error message.
This can make debugging configuration errors much easier.
AFAICS, there is no easy way to achieve this. Or did I miss something?
Any opinions about adding a new config directive for this purpose? If
yes, how should this be named? AllowNonVHostRequests (with a default
of 'yes')?
An alternative would be to expose server_rec->is_virtual in the
expressoin parser and have the admin add an appropriate <If> section
to deny access. However this has higher overhead at run time and the
error message in the log would be less descriptive.
Cheers,
Stefan
Re: Way to disable non-vhost requests?
Posted by Yehuda Katz <ye...@ymkatz.net>.
Plenty of admins disable the default Debian cost anyway, so I don't see
this as a problem as long as it is properly documented (maybe even on the
"error page" itself).
- Y
On Sunday, September 1, 2013, Stefan Fritsch wrote:
> Am Montag, 19. August 2013, 08:26:57 schrieb Rainer Jung:
> > On 18.08.2013 18:55, Stefan Fritsch wrote:
> > > for setups that only use virtual hosts, it can be useful to deny
> > > requests in the main server context with a meaningful error
> > > message. This can make debugging configuration errors much
> > > easier.
> > >
> > > AFAICS, there is no easy way to achieve this. Or did I miss
> > > something? Any opinions about adding a new config directive for
> > > this purpose? If yes, how should this be named?
> > > AllowNonVHostRequests (with a default of 'yes')?
> > >
> > > An alternative would be to expose server_rec->is_virtual in the
> > > expressoin parser and have the admin add an appropriate <If>
> > > section to deny access. However this has higher overhead at run
> > > time and the error message in the log would be less descriptive.
> >
> > I might have overlooked something stupid, but why not using a
> > _default_ vhost and disabling all requests there? I thought it
> > would be a catchall and its config is not being merged to the other
> > vhosts.
>
> True, I didn't think of that. _default_ is gone in 2.4, but * should
> work. I was looking for something to use in the Debian default
> configuration, though, and there it should be still be possible for
> the admin to easily use a "<VirtualHost *>" if he wants. But maybe
> that would still work if I put my catch-config-errors vhost after the
> virtual hosts configured by the admin. I will have to check.
>
>
--
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.
Re: Way to disable non-vhost requests?
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Am Montag, 19. August 2013, 08:26:57 schrieb Rainer Jung:
> > On 18.08.2013 18:55, Stefan Fritsch wrote:
> > > for setups that only use virtual hosts, it can be useful to deny
> > > requests in the main server context with a meaningful error
> > > message. This can make debugging configuration errors much
> > > easier.
> > >
> > > AFAICS, there is no easy way to achieve this. Or did I miss
> > > something? Any opinions about adding a new config directive for
> > > this purpose? If yes, how should this be named?
> > > AllowNonVHostRequests (with a default of 'yes')?
> > >
> > > An alternative would be to expose server_rec->is_virtual in the
> > > expressoin parser and have the admin add an appropriate <If>
> > > section to deny access. However this has higher overhead at run
> > > time and the error message in the log would be less descriptive.
> >
> > I might have overlooked something stupid, but why not using a
> > _default_ vhost and disabling all requests there? I thought it
> > would be a catchall and its config is not being merged to the other
> > vhosts.
>
> True, I didn't think of that. _default_ is gone in 2.4, but * should
> work. I was looking for something to use in the Debian default
> configuration, though, and there it should be still be possible for
> the admin to easily use a "<VirtualHost *>" if he wants. But maybe
> that would still work if I put my catch-config-errors vhost after the
> virtual hosts configured by the admin. I will have to check.
>
>
… because _default_ never was a default vhost anyway.
What I do is try to conform to HTTP and make the default vhost send 400
usually like so:
<VirtualHost *>
RedirectMatch 400 ^/(?!error/).* /
</VirtualHost>
unless I have mod_security installed, that takes care of it as well.
-- i
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
Re: Way to disable non-vhost requests?
Posted by Stefan Fritsch <sf...@sfritsch.de>.
Am Montag, 19. August 2013, 08:26:57 schrieb Rainer Jung:
> On 18.08.2013 18:55, Stefan Fritsch wrote:
> > for setups that only use virtual hosts, it can be useful to deny
> > requests in the main server context with a meaningful error
> > message. This can make debugging configuration errors much
> > easier.
> >
> > AFAICS, there is no easy way to achieve this. Or did I miss
> > something? Any opinions about adding a new config directive for
> > this purpose? If yes, how should this be named?
> > AllowNonVHostRequests (with a default of 'yes')?
> >
> > An alternative would be to expose server_rec->is_virtual in the
> > expressoin parser and have the admin add an appropriate <If>
> > section to deny access. However this has higher overhead at run
> > time and the error message in the log would be less descriptive.
>
> I might have overlooked something stupid, but why not using a
> _default_ vhost and disabling all requests there? I thought it
> would be a catchall and its config is not being merged to the other
> vhosts.
True, I didn't think of that. _default_ is gone in 2.4, but * should
work. I was looking for something to use in the Debian default
configuration, though, and there it should be still be possible for
the admin to easily use a "<VirtualHost *>" if he wants. But maybe
that would still work if I put my catch-config-errors vhost after the
virtual hosts configured by the admin. I will have to check.
Re: Way to disable non-vhost requests?
Posted by Rainer Jung <ra...@kippdata.de>.
On 18.08.2013 18:55, Stefan Fritsch wrote:
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?
>
> An alternative would be to expose server_rec->is_virtual in the
> expressoin parser and have the admin add an appropriate <If> section
> to deny access. However this has higher overhead at run time and the
> error message in the log would be less descriptive.
I might have overlooked something stupid, but why not using a _default_
vhost and disabling all requests there? I thought it would be a catchall
and its config is not being merged to the other vhosts.
Regards,
Rainer
Re: Way to disable non-vhost requests?
Posted by Stefan Fritsch <sf...@sfritsch.de>.
Am Sonntag, 18. August 2013, 20:59:53 schrieb Reindl Harald:
> Am 18.08.2013 20:49, schrieb Eric Covener:
> > On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de>
wrote:
> >> for setups that only use virtual hosts, it can be useful to deny
> >> requests in the main server context with a meaningful error
> >> message. This can make debugging configuration errors much
> >> easier.
> >>
> >> AFAICS, there is no easy way to achieve this. Or did I miss
> >> something? Any opinions about adding a new config directive for
> >> this purpose? If yes, how should this be named?
> >> AllowNonVHostRequests (with a default of 'yes')?
> >
> > I don't know of any recipe for this, and I think a directive is
> > okay. But what would the status be, and how would you override it
> > just for this case?
I would make it return status 500 (because its purpose is to catch
configuration errors). Not sure I understand what you mean with "how
would you override it", though. It would be a global-only setting and
would deny all requests where server_rec->is_virtual is 0.
> sounds AFAIK similar like
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostc
> heck
>
> and as i understand the proposal if configured for the first and so
> default vhost while there is no host-header matchig ServerName
> or ServerAlias "403 Forbidden"
>
> makes IMHO sense, i see a lot of mod_security hits all over our
> servers with fantasy-hostnames rejected because other reasons
> and a request with a non-configred hostname is most likely
> some scanner searching for vulnerabilities
Here you want to solve a different problem. My intention is to catch
the cases where no <VirtualHost> block matches. For example if you
have a Listen 8080 but no <VirtualHost *:8080> and no <VirtualHost *>
block.
What you mean is to disable the behavior of name based virtual hosts
to use the first virtual host matching the requested IP/port as
default if none of the ServerNames/ServerAliases matches. That could
be a reasonable feature, too, but (except for the log message) this
can already be achieved by putting a "require all denied" or "redirect
500 /" into the first (default) vhost. This works because the non-
default vhosts don't inherit from the default vhosts. If this is added
as a new directive, AllowNonVHostRequests is definitely not the
correct name. Maybe AllowNamedVirtualHostFallback or StrictVHostCheck.
For my problem, the same solution does not work. If you put a
"redirect 500 /" into the global server scope case, all virtual hosts
inherit this directive, denying access everywhere (or requiring to
explicitly put something into every vhost to override the "require all
denied" from the global server scope.
Re: Way to disable non-vhost requests?
Posted by Reindl Harald <h....@thelounge.net>.
Am 18.08.2013 20:49, schrieb Eric Covener:
> On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
>> for setups that only use virtual hosts, it can be useful to deny
>> requests in the main server context with a meaningful error message.
>> This can make debugging configuration errors much easier.
>>
>> AFAICS, there is no easy way to achieve this. Or did I miss something?
>> Any opinions about adding a new config directive for this purpose? If
>> yes, how should this be named? AllowNonVHostRequests (with a default
>> of 'yes')?
>
> I don't know of any recipe for this, and I think a directive is okay.
> But what would the status be, and how would you override it just for
> this case?
sounds AFAIK similar like
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck
and as i understand the proposal if configured for the first and so
default vhost while there is no host-header matchig ServerName
or ServerAlias "403 Forbidden"
makes IMHO sense, i see a lot of mod_security hits all over our
servers with fantasy-hostnames rejected because other reasons
and a request with a non-configred hostname is most likely
some scanner searching for vulnerabilities
Re: Way to disable non-vhost requests?
Posted by Eric Covener <co...@gmail.com>.
On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> Hi,
>
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?
I don't know of any recipe for this, and I think a directive is okay.
But what would the status be, and how would you override it just for
this case?
Re: Way to disable non-vhost requests?
Posted by Reindl Harald <h....@thelounge.net>.
yep, and a 403 triggered by httpd without calling a PHP script would
save a lot of ressources if some stupid robots doing a lot of requests
maybe you could use something like that which a previously did
too with a PHP script and LocationMatch
RedirectMatch 404 ^/.*admin-bak/(.*)$
RedirectMatch 404 ^/.*~admin/(.*)$
RedirectMatch 404 ^/.*backups/(.*)$
RedirectMatch 404 ^/.*backup/(.*)$
RedirectMatch 404 ^/.*_backup/(.*)$
... endless list of common searched vulnerable locations ...
Am 18.08.2013 20:59, schrieb Yehuda Katz:
> Just for my own servers, I usually create a default vhost and use mod_rewrite to send all requests to this script
> (simplified for post here).
>
> <?php
> header("HTTP/1.1 418 I'm a teapot");
> ?>
> <h1>I'm a teapot.</h1>
> <p>Well actually, I am a server, but I know about as much about what you requested as a teapot would. Please
> check your request and try again.</p>
>
>
> Not exactly what you are looking for, but fun.
> It is also easy to find in the logs because NOTHING uses that status.
>
>
> On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf@sfritsch.de <ma...@sfritsch.de>> wrote:
>
> Hi,
>
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?
>
> An alternative would be to expose server_rec->is_virtual in the
> expressoin parser and have the admin add an appropriate <If> section
> to deny access. However this has higher overhead at run time and the
> error message in the log would be less descriptive.
>
> Cheers,
> Stefan
Re: Way to disable non-vhost requests?
Posted by Yehuda Katz <ye...@ymkatz.net>.
Just for my own servers, I usually create a default vhost and use
mod_rewrite to send all requests to this script (simplified for post here).
<?php
> header("HTTP/1.1 418 I'm a teapot");
> ?>
> <h1>I'm a teapot.</h1>
> <p>Well actually, I am a server, but I know about as much about what you
> requested as a teapot would. Please check your request and try again.</p>
Not exactly what you are looking for, but fun.
It is also easy to find in the logs because NOTHING uses that status.
- Y
On Sun, Aug 18, 2013 at 12:55 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> Hi,
>
> for setups that only use virtual hosts, it can be useful to deny
> requests in the main server context with a meaningful error message.
> This can make debugging configuration errors much easier.
>
> AFAICS, there is no easy way to achieve this. Or did I miss something?
> Any opinions about adding a new config directive for this purpose? If
> yes, how should this be named? AllowNonVHostRequests (with a default
> of 'yes')?
>
> An alternative would be to expose server_rec->is_virtual in the
> expressoin parser and have the admin add an appropriate <If> section
> to deny access. However this has higher overhead at run time and the
> error message in the log would be less descriptive.
>
> Cheers,
> Stefan
>
>