On Mon, Sep 12, 2016 at 3:21 PM, Marat Khalili <mkh@xxxxxx> wrote: > On 12/09/16 15:25, Rainer Canavan wrote: >> >> >> However, in this example, you'd add a virtualhost that may expose >> globally configured resources without the individual access controls of >> the "real" vhosts. On top of that, the additional vhost may not see any >> significant testing in case of configuration changes. > > I don't get it, can you please provide an example? IMO any additional vhosts > should not depend at all on what's inside this vhost. The obvious ones I can come up with would be Alias, ScriptAlias, FastCGIExternalServer, Action and RewriteRule. All those can be defined in the global context (i.e. outside of any vhost) and are valid for all vhosts. (for RewriteRule, that may require RewriteOptions Inherit), all others simply apply to all vhosts. >> Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that >> checks the Host: header. > > You mean, outside any virtualhost? Why do you think it's better? Initial > problem was default virtualhost -- I want none. that's exaclty what I'm saying. A default vhost has the potential to add more problems than it can ever solve. [...] >> Overall I'd say that the negligible gain in >> perceived security isn't worth the effort or the additional risks >> (both regarding security and availability). > > Well, for one thing log messages from actual vhosts and from internet scans > are separated, this alone saves a lot of time. Finally, an actual, measurable benefit, although it only filters out the not-too-smart scanners. rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|