Bug 56395

Summary: Allow SERVER_ADDR environment variable to be optionally undisclosed
Product: Apache httpd-2 Reporter: Andre Nathan <andre>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement Keywords: PatchAvailable
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Allow SERVER_ADDR to be undisclosed via a core directive
Allow SERVER_ADDR to be undisclosed via an environment variable

Description Andre Nathan 2014-04-11 18:26:44 UTC
Created attachment 31516 [details]
Allow SERVER_ADDR to be undisclosed via a core directive

It may be useful to not disclose the web server's IP address to scripts running on the server. My use case for this is to aid in protection agains DDoS attacks, where a website's DNS zone is set up such that the server address is not published in a "guessable" way (eg. by pointing to a CDN provider and using a random DNS entry for sync'ing between the CDN and the server).

The attached patches implement this. The first one does that via a code configuration directive. In that case, if the user sets "ExportServerAddr Off", then the SERVER_ADDR environment variable will not be passed to scripts.

The second patch does the same, but using environment variables instead. In that case the user has to set "PassEnv HIDE_SERVER_ADDR" and then define this variable in the shell (eg. export HIDE_SERVER_ADDR=1). To revert to the default behavior, one only has to unset the variable (eg. unset HIDE_SERVER_ADDR).
Comment 1 Andre Nathan 2014-04-11 18:27:25 UTC
Created attachment 31517 [details]
Allow SERVER_ADDR to be undisclosed via an environment variable