You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Eric Covener <co...@gmail.com> on 2017/11/30 03:08:48 UTC
directive to reject non-configured hostnames w/o needing catch-all
virtual hosts?
At $dayjob I am seeing a lot of users running scans that flag any HTTP
response that incorporates the Host header into the response as
"vulnerable", even if the host is syntactically valid.
AIUI the standard solution is to create a default NVH for each
host:port combo to trap unknowns and use it to return an error. But
this is a lot of work. Rewrite has its own baggage (add it global,
add it to each VH, add it before other rewrites)
(things like proxy and CGI/PHP mean UseCanonicalName is insufficient)
Nothing currently crawls all ServerName/ServerAlias, becuase we always
select the best IP-based match firs then compare strings from the
result.
Is anyone else interested in another way to configure this? Would you
want to crawl all servername/serveralias when enabled or pass in a
separate whitelist to a new directive? With the latter, you could at
least make sure the e.g. *.example.com showed up without checking the
gory details.
--
Eric Covener
covener@gmail.com
Re: directive to reject non-configured hostnames w/o needing
catch-all virtual hosts?
Posted by Stefan Eissing <st...@greenbytes.de>.
That sounds like a simple feat for mod_md, since it scans and
collects that information already.
> Am 30.11.2017 um 04:08 schrieb Eric Covener <co...@gmail.com>:
>
> At $dayjob I am seeing a lot of users running scans that flag any HTTP
> response that incorporates the Host header into the response as
> "vulnerable", even if the host is syntactically valid.
>
> AIUI the standard solution is to create a default NVH for each
> host:port combo to trap unknowns and use it to return an error. But
> this is a lot of work. Rewrite has its own baggage (add it global,
> add it to each VH, add it before other rewrites)
>
> (things like proxy and CGI/PHP mean UseCanonicalName is insufficient)
>
> Nothing currently crawls all ServerName/ServerAlias, becuase we always
> select the best IP-based match firs then compare strings from the
> result.
>
> Is anyone else interested in another way to configure this? Would you
> want to crawl all servername/serveralias when enabled or pass in a
> separate whitelist to a new directive? With the latter, you could at
> least make sure the e.g. *.example.com showed up without checking the
> gory details.
>
>
> --
> Eric Covener
> covener@gmail.com