Re: Apache httpd does not respect the HTTP RFCs !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



André Warnier schrieb:
> But is is interesting to see how in the end, a document such as RFC2616
> which is meant to "specify" a relatively strict set of rules, and of
> which I am sure the phrasing is examined carefully and repeatedly (it
> being after all a revision of an earlier document on the same topic),
> still leaves areas open to interpretation, or downright inconsistent.
> What is for example, in this case, a hostname which is /invalid/ on this
> host ?
> If the request reached this host, then it must be that for the DNS
> system, the hostname resolved to one of this physical host's IP
> addresses.  In that sense, any HTTP request which reaches the host could
> be deemed to address a valid hostname.

Yes and no. It's always up to the server (or server admin) if it's accepting
a given hostname or not. But if it's not accepting a hostname, it must
return a 400.

Well, there is no directive in Apache httpd to enable such strict hostname
tests and Apache is always accepting all hostnames and is routing this to
the default (v)host. And that's the reason I'm always using the namebased
vhosts from my last post. Even I normally only want have an ip-based vhost
(or no vhosts at all).

BTW: If you want/must deal with IPs in the URIs, just add the IP for that
vhost as ServerAlias to the first regular VirtualHost block.

Regarding DNS:
Well, a normal browser is asking a dns server for the IP, and then is
connecting to that IP and using the servername from the URI for the Host header.

Example:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
| telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.apache.org
|

That's what a normal browser is doing. Well, apache.org is also accepting
all hostnames, and so the next example shows the same homapage:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.microsoft.com
|

Well, I don't want that this happens on my servers, and with a namebased
vhost, a perl script and a rewriterule I have the behavior I want: an error
400 in this case. Also Apache is now only accepting a defined
ServerName/ServerAlias, and not all requests which are possible with a
wildcard dns entry. But be careful with *.foo.com in ServerAlias.

Regards,
Carsten


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux