[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https vhosts

> Am 24.05.2018 um 14:22 schrieb Yann Ylavic <ylavic.dev@xxxxxxxxx>:
> On Thu, May 24, 2018 at 2:09 PM, Eric Covener <covener@xxxxxxxxx> wrote:
>> Thinking about base server and how scanners report it the "vulnerability"...
>> AllowUnmatchedHost[name]?
>> RejectUnknownHost[name]?
> The one or the other is probably a better name than UseDefaultVHost,
> it allows to specify it by vhost (really meaningful on base servers
> though) OR globally to avoid using fake base servers in the whole
> configuration (when relevant).
> Looks good to me.

Like it. For simplicity, I think it should only be global. 

Using it in the first vhost has the same effect. Using it 
in a subsequent vhost will have no effect. Does not really make sense, or?

So, proposal:

RejectUnknownHosts [ on | off ]   (Default: off)

as core directive.

For mod_ssl, it would be good to move its "ssl_find_vhost()" partially
into the core. We could add a method

AP_DECLARE(server_rec *) ap_vhost_find_server(conn_rec *c, const char *hostname);

that returns the match, the base or NULL if rejected. That would remove 
parts of the vhost matching implementation in mod_ssl and we would not
need to expose the core config.