You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by André Warnier <aw...@ice-sa.com> on 2009/11/28 13:57:45 UTC
[users@httpd] Apache httpd does not respect the HTTP RFCs !
;-)
I just wanted, once, to use a subject line with capitals and an
exclamation mark.
It seems however that in this particular case, neither Tomcat nor Apache
httpd follow the rules, when they default to the .. default virtual host
in the case where they cannot find a match between the Host: header and
one of their defined virtual hosts.
Doesn't the following say that they MUST return a 400 status ?
http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
Carsten Wiedmann schrieb:
> It's the same as with:
> | RewriteRule ^.*$ - [R=400]
>
> BTW:
> If "httpd-multilang-errordoc.conf" is enabled, all above solutions are also
> not working nice. Because now the error document shows:
Just for the records. This is doing the trick:
| NameVirtualHost *:80
|
| <VirtualHost *:80>
| ServerName nonexistent
|
| RewriteEngine On
| RewriteCond %{IS_SUBREQ} false
| RewriteCond %{REQUEST_URI} !/error/HTTP_BAD_REQUEST.html.var
| RewriteRule ^.*$ - [R=400]
| </VirtualHost>
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs
!
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Mon, Jan 09, 2012 at 12:37:53PM +0000, jimmyhendrix wrote:
> I would like to change that status code on my httpd.conf and set to the value
> 404 on the same page http://cmsboprd/page-indisponible/index.html?fmt=default
Have a read of this:
http://httpd.apache.org/docs/2.2/mod/core.html#errordocument
particularly the paragraph referring to remote URLs and then look through
your configuration to find where you have introduced this behaviour so
you can fix it.
HTH,
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by jimmyhendrix <nl...@yahoo.fr>.
Hi guys,
When requesting a non-existing page, like:
http://cmsboprd/notre-offre/services/pied-de-page/masque/index.html
I will get a non-available page
http://cmsboprd/page-indisponible/index.html?fmt=default with a status code 302.
I would like to change that status code on my httpd.conf and set to the value
404 on the same page http://cmsboprd/page-indisponible/index.html?fmt=default
Please help me, It is almost one month that I looking for that solution.
Regards,
Jimmy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
William A. Rowe Jr. schrieb:
>> Well, and the error document with [R=400] (or other status codes) is also
>> not multi language.
>
> Right; presume for a moment that anyone hitting your server with a bogus dns
> reference or by-ip is doing so in a less-than-friendly, spidery or malicious
> manner. Are they really worth sending an elegant error page to?
OK, for script kiddies is must not be multi language (maybe just for
completeness).
It's more because of the common wildcard DNS. For an vhost I have deleted in
Apache, it might be also possible to set an status 410, but I guess 400 is
better (not only the current uri is gone, the whole host does not exist). Of
course, setting a 410 is the same "problem".
> I'm not certain if this works, but;
>
> Redirect 400 /
>
> or
>
> RedirectMatch 400 .*
It's the same as with:
| RewriteRule ^.*$ - [R=400]
BTW:
If "httpd-multilang-errordoc.conf" is enabled, all above solutions are also
not working nice. Because now the error document shows:
| Bad Request
|
| Your browser sent a request that this server could not understand.
|
| Additionally, a 500 Internal Server Error error was encountered while
| trying to use an ErrorDocument to handle the request.
(and with [R=404] you have an additional error, because of endless internal
redirects)
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs
!
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
Carsten Wiedmann wrote:
>
> Well, and the error document with [R=400] (or other status codes) is also
> not multi language.
Right; presume for a moment that anyone hitting your server with a bogus dns
reference or by-ip is doing so in a less-than-friendly, spidery or malicious
manner. Are they really worth sending an elegant error page to?
You can't both set the code and trigger ErrorDocument; but of course patches
would be welcome.
I'm not certain if this works, but;
Redirect 400 /
or
RedirectMatch 400 .*
would more likely provide the proper error page you are looking for, but
I haven't tested this for you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
William A. Rowe Jr. schrieb:
> RewriteRule .* - [R=400]
Hm, ok, I've never realized, that I can set other status codes in
RewriteRule [R], then the well known redirect status codes (Redirection
3xx). A little bit curious?
With [R=400] it's the same as with the Perl script (thanks for this hint).
Another thing:
I know [F] also exists, but if all status codes are valid (like I can read
in the manual), [R=404] is not working correctly.
Well, and the error document with [R=400] (or other status codes) is also
not multi language.
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs
!
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
Carsten Wiedmann wrote:
> William A. Rowe Jr. schrieb:
>> I agree it should be easier, Rich and I have it down to 3-4 lines of rewrite magic
>> to kick out a 400, but we should probably allow this to be explicit [default?]
>
> That would be nice. And if I'm be able to set the status code in a
> RewriteRule and/or Header directive.
> I guess you have seen my RewriteRule with the Perl script in my other message.
> Well, I'm only using a Perl script, because this is not possible (assuming
> httpd-multilang-errordoc.conf is enabled):
> | RewriteRule ^.*$ /error/HTTP_BAD_REQUEST.html.var \
> [PT,NS,E=REDIRECT_STATUS:400]
> | Header set Status "400 Bad Request"
>
> I'm getting my multi language error document, but I can't set the status
> header in this way.
You are going way overboard, I suspect. Simply try;
NameVirtualHost *:80
# This MUST be the first host, it will be the default after all other
# hosts are evaluated and rejected. The servername must simply be a
# name which is never used, so example.com is appropriate.
<VirtualHost *:80>
ServerName bad.host.example.com
RewriteEngine On
RewriteRule .* - [R=400]
</VirtualHost>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
William A. Rowe Jr. schrieb:
> I agree it should be easier, Rich and I have it down to 3-4 lines of rewrite magic
> to kick out a 400, but we should probably allow this to be explicit [default?]
That would be nice. And if I'm be able to set the status code in a
RewriteRule and/or Header directive.
I guess you have seen my RewriteRule with the Perl script in my other message.
Well, I'm only using a Perl script, because this is not possible (assuming
httpd-multilang-errordoc.conf is enabled):
| RewriteRule ^.*$ /error/HTTP_BAD_REQUEST.html.var \
[PT,NS,E=REDIRECT_STATUS:400]
| Header set Status "400 Bad Request"
I'm getting my multi language error document, but I can't set the status
header in this way.
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache httpd does not respect the HTTP RFCs !
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
André Warnier wrote:
> ;-)
> I just wanted, once, to use a subject line with capitals and an
> exclamation mark.
>
> It seems however that in this particular case, neither Tomcat nor Apache
> httpd follow the rules, when they default to the .. default virtual host
> in the case where they cannot find a match between the Host: header and
> one of their defined virtual hosts.
> Doesn't the following say that they MUST return a 400 status ?
>
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2
In theory, yes. As a practical matter, no...
"""
An origin server that does not allow resources to differ by the requested host MAY ignore
the Host header field value when determining the resource identified by an HTTP/1.1 request.
"""
Apache httpd may operate in either mode.
I agree it should be easier, Rich and I have it down to 3-4 lines of rewrite magic
to kick out a 400, but we should probably allow this to be explicit [default?]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
André Warnier schrieb:
> But is is interesting to see how in the end, a document such as RFC2616
> which is meant to "specify" a relatively strict set of rules, and of
> which I am sure the phrasing is examined carefully and repeatedly (it
> being after all a revision of an earlier document on the same topic),
> still leaves areas open to interpretation, or downright inconsistent.
> What is for example, in this case, a hostname which is /invalid/ on this
> host ?
> If the request reached this host, then it must be that for the DNS
> system, the hostname resolved to one of this physical host's IP
> addresses. In that sense, any HTTP request which reaches the host could
> be deemed to address a valid hostname.
Yes and no. It's always up to the server (or server admin) if it's accepting
a given hostname or not. But if it's not accepting a hostname, it must
return a 400.
Well, there is no directive in Apache httpd to enable such strict hostname
tests and Apache is always accepting all hostnames and is routing this to
the default (v)host. And that's the reason I'm always using the namebased
vhosts from my last post. Even I normally only want have an ip-based vhost
(or no vhosts at all).
BTW: If you want/must deal with IPs in the URIs, just add the IP for that
vhost as ServerAlias to the first regular VirtualHost block.
Regarding DNS:
Well, a normal browser is asking a dns server for the IP, and then is
connecting to that IP and using the servername from the URI for the Host header.
Example:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
| telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.apache.org
|
That's what a normal browser is doing. Well, apache.org is also accepting
all hostnames, and so the next example shows the same homapage:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.microsoft.com
|
Well, I don't want that this happens on my servers, and with a namebased
vhost, a perl script and a rewriterule I have the behavior I want: an error
400 in this case. Also Apache is now only accepting a defined
ServerName/ServerAlias, and not all requests which are possible with a
wildcard dns entry. But be careful with *.foo.com in ServerAlias.
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs
!
Posted by André Warnier <aw...@ice-sa.com>.
Eric Covener wrote:
> On Sat, Nov 28, 2009 at 7:23 PM, Carsten Wiedmann <ca...@gmx.de> wrote:
>> André Warnier schrieb:
>>> So how do you enumerate invalid hosts explicitly then ?
>> Right, it's a little bit curious, that you can't set 400 with mod_rewrite
>> (or header), only 403 (or 410).
>
> In 2.2.x you can probably use [R=400]
>
My original post was more like a jest or a provocation, rather than a
real question.
But is is interesting to see how in the end, a document such as RFC2616
which is meant to "specify" a relatively strict set of rules, and of
which I am sure the phrasing is examined carefully and repeatedly (it
being after all a revision of an earlier document on the same topic),
still leaves areas open to interpretation, or downright inconsistent.
What is for example, in this case, a hostname which is /invalid/ on this
host ?
If the request reached this host, then it must be that for the DNS
system, the hostname resolved to one of this physical host's IP
addresses. In that sense, any HTTP request which reaches the host could
be deemed to address a valid hostname.
Yet the HTTP server listening on that host (and port), may be configured
to accept requests for several specific hostnames, but not the one
mentioned in the request. In that sense, Apache's defaulting to a
"default" host whose name does not match the request hostname would be
in contravention of the RFC. Yet by the same token, Apache's defaulting
to the default host and accepting the request, would seem to make the
request's hostname "valid", since the request is accepted.
So basically, the HTTP RFC obliges the server to send a 400 response for
an invalid host, but what is an invalid host is decided by the server.
Kind of circular as far as arguments go.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Eric Covener <co...@gmail.com>.
On Sat, Nov 28, 2009 at 7:23 PM, Carsten Wiedmann <ca...@gmx.de> wrote:
> André Warnier schrieb:
>> So how do you enumerate invalid hosts explicitly then ?
>
> Right, it's a little bit curious, that you can't set 400 with mod_rewrite
> (or header), only 403 (or 410).
In 2.2.x you can probably use [R=400]
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache httpd does not respect the HTTP RFCs !
Posted by Carsten Wiedmann <ca...@gmx.de>.
André Warnier schrieb:
> So how do you enumerate invalid hosts explicitly then ?
Right, it's a little bit curious, that you can't set 400 with mod_rewrite
(or header), only 403 (or 410).
That's what I'm always doing:
httpd-vhosts.conf:
| NameVirtualHost *:80
|
| <VirtualHost *:80>
| ServerName nohost
| RewriteEngine On
| RewriteRule ^.*$ /cgi-bin/nohost.pl [PT,NS]
| </VirtualHost>
|
| <VirtualHost *:80>
| ServerName host1.example.com
| # other directives
| </VirtualHost>
|
| <VirtualHost *:80>
| ServerName host2.example.com
| # other directives
| </VirtualHost>
|
| # other vhosts
nohost.pl:
| #!/usr/bin/perl
|
| print "Status: 400 Bad Request\n";
| print "Content-type: text/html; charset=iso-8859-1\n\n";
|
| print "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n";
| print "<html>\n";
| print "<head>\n";
| print "<title>400 Bad Request</title>\n";
| print "</head>\n";
| print "<body>\n";
| print "<h1>Bad Request</h1>\n";
| print "<p>\n";
| print "Your browser sent a request that\n";
| print "this server could not understand.<br />\n";
| print "</p>\n";
| print "<hr>\n";
| print $ENV{"SERVER_SIGNATURE"};
| print "</body>\n";
| print "</html>\n";
Regards,
Carsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache httpd does not respect the HTTP RFCs !
Posted by Eric Covener <co...@gmail.com>.
On 11/28/09, André Warnier <aw...@ice-sa.com> wrote:
> Eric Covener wrote:
>
> > On 11/28/09, André Warnier <aw...@ice-sa.com> wrote:
> >
> > > ;-)
> > > I just wanted, once, to use a subject line with capitals and an
> > > exclamation mark.
> > >
> > > It seems however that in this particular case, neither Tomcat nor
> Apache
> > > httpd follow the rules, when they default to the .. default virtual
> host
> > > in the case where they cannot find a match between the Host: header and
> > > one of their defined virtual hosts.
> > > Doesn't the following say that they MUST return a 400 status ?
> > >
> > >
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2
> > >
> >
> > No, they only have to return a 400 when they believe the provided Host
> > is invalid on the server. Neither server treats hostnames that have
> > not been explicitly enumerated as being invalid on the server, and
> > this is not a requirement of the RFC.
> >
> >
>
> Aha. Thanks for the clarification.
>
> So how do you enumerate invalid hosts explicitly then ?
>
I should have qualified that that is just my inter[retation. httpd
doesn't let you describe such a thing, as the name-based vhosts
"default vhost" behavior is not configurable.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache httpd does not respect the HTTP RFCs !
Posted by André Warnier <aw...@ice-sa.com>.
Eric Covener wrote:
> On 11/28/09, André Warnier <aw...@ice-sa.com> wrote:
>> ;-)
>> I just wanted, once, to use a subject line with capitals and an
>> exclamation mark.
>>
>> It seems however that in this particular case, neither Tomcat nor Apache
>> httpd follow the rules, when they default to the .. default virtual host
>> in the case where they cannot find a match between the Host: header and
>> one of their defined virtual hosts.
>> Doesn't the following say that they MUST return a 400 status ?
>>
>> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2
>
> No, they only have to return a 400 when they believe the provided Host
> is invalid on the server. Neither server treats hostnames that have
> not been explicitly enumerated as being invalid on the server, and
> this is not a requirement of the RFC.
>
Aha. Thanks for the clarification.
So how do you enumerate invalid hosts explicitly then ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache httpd does not respect the HTTP RFCs !
Posted by Eric Covener <co...@gmail.com>.
On 11/28/09, André Warnier <aw...@ice-sa.com> wrote:
> ;-)
> I just wanted, once, to use a subject line with capitals and an
> exclamation mark.
>
> It seems however that in this particular case, neither Tomcat nor Apache
> httpd follow the rules, when they default to the .. default virtual host
> in the case where they cannot find a match between the Host: header and
> one of their defined virtual hosts.
> Doesn't the following say that they MUST return a 400 status ?
>
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2
No, they only have to return a 400 when they believe the provided Host
is invalid on the server. Neither server treats hostnames that have
not been explicitly enumerated as being invalid on the server, and
this is not a requirement of the RFC.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org