You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2011/08/29 23:00:51 UTC

[Httpd Wiki] Update of "InvalidHost" by thumbs

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "InvalidHost" page has been changed by thumbs:
http://wiki.apache.org/httpd/InvalidHost

New page:
= Rejecting clients with an invalid Host: header =

This short article describes how to use mod_security to block HTTP clients with a broken or missing Host: header. The IfModule lines are not mandatory.

    <IfModule mod_security2.c><<BR>>
            SecAuditEngine Off<<BR>>
            SecRuleEngine On<<BR>>
            SecRule REQUEST_METHOD "^((?:connect|trace))$" "log,drop,phase:1"<<BR>>
            SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "log,drop,phase:1"<<BR>>
            SecRule &REQUEST_HEADERS:Host "@eq 0" "log,drop,phase:1"<<BR>>
            SecRule REQUEST_HEADERS:User-Agent "^$" "log,drop,phase:1"<<BR>>
            SecRule REQUEST_HEADERS:Host "^$" "log,drop,phase:1"<<BR>>
    </IfModule><<BR>>

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org