On Sun, 27 Aug 2023 22:48:28 +0100 Barry <barry@xxxxxxxxxxxxxxxx> wrote: > > On 27 Aug 2023, at 16:40, Franta Hanzlík via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > When a request is received, the server first maps it to the best matching <VirtualHost> based on the local IP address and port combination only. Non-wildcards have a higher precedence. > > The HTTP Host header is also used to match to the ServerName of the VirtualHost. > I host 2 domains on the same IP and port, as is typical for web hosting services. > > When you browse to a url like https:/example.com/stuff what browser will do is > Do a DNS look of the domain name, example.com, and connect to that IP address. > It will use the default port if an explicit one is not in the url, 443 is this case. > The HTTP request will start like this > > GET /stuff > Host: example.com > > All browsers and HTTP libraries will put the Host header in these days because if virtusl hosting. Hi Barry, thank for reply. I agree, legitimate clients will use this "Host" header (including SNI in HTTPS requests). But "bad" attacking clients probably won't, they'll probably only scan and use IP addresses. This is clear to me anyway, my point was how to optimally use the layout used in Fedora to design robust and secure virtual websites. And perhaps even including the use of the mod_security module in all VirtualHosts, but with different rules and exceptions in each VirtualHost ... ;) --- Frant HanzlIk _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
