|Summary:||provide straightforward option to only respond on configured hostnames|
|Product:||Apache httpd-2||Reporter:||Eric Covener <covener>|
|Component:||Core||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Eric Covener 2017-07-22 16:54:16 UTC
Currently, any hostname is accepted by the server, often funnelled into the first-listed vhost of a set of name-based virtual hosts. Lots of scanners flag this in combination with UseCanonicalName OFF (default) as a problem. While it's easy for power users to rig a default vhost to catch these things, I think it would help usability to make it a first class directive/feature. I am not sure if it's better to be something like a list of hostnames that are VH idependent, or just a flag that says the hosts must match a ServerName/ServerAlias (pushing the handling down into vhost.c). Probably need to think how an htaccess-only consumer could make use of it. I think this could have an effect on whether the config is always dependent on virtual hosts or not. Could even be a authz provider that read a note set by vhost.c.