On 12/09/16 15:25, Rainer Canavan wrote:
I don't get it, can you please provide an example? IMO any additional vhosts should not depend at all on what's inside this vhost.However, in this example, you'd add a virtualhost that may expose globally configured resources without the individual access controls of the "real" vhosts. On top of that, the additional vhost may not see any significant testing in case of configuration changes.
You mean, outside any virtualhost? Why do you think it's better? Initial problem was default virtualhost -- I want none. Your method only protects from absence of Host header, not from incorrect Host header, SNI etc. IMO presupposing Apache vhost selection is bad solution here.Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that checks the Host: header.
If you're really serious, you'd also have to make sure that any error messages don't contain the hostname, and you'd have to set reverse DNS lookups to point to a useless name.
I did.
Well, for one thing log messages from actual vhosts and from internet scans are separated, this alone saves a lot of time.Overall I'd say that the negligible gain in perceived security isn't worth the effort or the additional risks (both regarding security and availability).
-- With Best Regards, Marat Khalili --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|