jdrnb007-0@xxxxxxxxx wrote:
Hello,Have come across a security issue and one of the reason is Apache allowing serving of request with incorrect HOST header. Question in short: Is there an Apache Directive which will reject request with incorrect or missing HOST header ? I mean if my Apache is serving one.xyz.com, reject all request coming to that IP address and port using any other hostname. Meaning reject 1.xyz.com or one.abc.com or 2.xyz.com or two.xyz.com. And second, why would Apache allow that in the first place, especially if we are not using NameBased VHosting.
[...]I'll try an answer for you, based on my own understanding of HTTP and Apache matters.
I believe that this is not a security issue. It is just the way in which DNS and HTTP work, and are supposed to work.
First your second question :Apache allows that, because that is the way HTTP is supposed to work. Basically, if your are not using name-based virtual hosting, then the httpd server does not care about the human-readable (DNS) name that you used to send the HTTP request to this particular HTTP server host. It gets a HTTP request on its listening IP address and port, so it answers. In other words, the webserver gets the "Host:" header sent by the browser, but it just ignores it. And that is the way it is supposed to work.
Now about your first question (how to reject requests with the "wrong" host name) : The easiest way that I can think of, and without changing anything on your front-end, is to set up your server to *do* name-based virtual hosting, as follows :
- define a first Virtual Host with some ServerName that does not exist in the DNS. Because that is the first defined Virtual Host, it will serve as a default for all HTTP requests that either have no "Host:" header, or where the "Host:" header contains something that Apache cannot match with a specific defined virtual host.
- then define a second Virtual Host with the ServerName that you want to allow. This one will handle all request that *do* have the correct hostname.
In the configuration of the first Virtual Host (the default one), set your permissions so that everything is forbidden. Like
<VirtualHost *:80> ServerName forbidden.local DocumentRoot /var/www/forbidden <Directory /var/www/forbidden> Deny from all </Directory> </VirtualHost>In the configuration of the second virtual host (the real one), set the permissions normally.
<VirtualHost *:80> ServerName myrealhost.mydomain.com DocumentRoot /var/www/myrealhost <Directory /var/www/myrealhost> Allow from all </Directory> etc.. </VirtualHost>This second VirtualHost will answer *only* for requests that are specifically directed to the hostname "myrealhost.mydomain.com". All other requests will, by default, be processed by the first VirtualHost (and rejected). You can then, if you want, set the ErrorDocument of the first virtual host in such a way that it tells people to use the correct name.
Hope this helps André --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx