[Bug 61328] New: provide straightforward option to only respond on configured hostnames

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61328] New: provide straightforward option to only respond on configured hostnames

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61328

            Bug ID: 61328
           Summary: provide straightforward option to only respond on
                    configured hostnames
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Core
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Currently, any hostname is accepted by the server, often funnelled into the
first-listed vhost of a set of name-based virtual hosts.  Lots of scanners flag
this in combination with UseCanonicalName OFF (default) as a problem.

While it's easy for power users to rig a default vhost to catch these things, I
think it would help usability to make it a first class directive/feature.

I am not sure if it's better to be something like a list of hostnames that
are VH idependent, or just a flag that says the hosts must match a
ServerName/ServerAlias (pushing the handling down into vhost.c).

Probably need to think how an htaccess-only consumer could make use of it. I
think this could have an effect on whether the config is always dependent on
virtual hosts or not.

Could even be a authz provider that read a note set by vhost.c.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...