Bug 61328

Summary: provide straightforward option to only respond on configured hostnames
Product: Apache httpd-2 Reporter: Eric Covener <covener>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: enhancement Keywords: FixedInTrunk
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Eric Covener 2017-07-22 16:54:16 UTC
Currently, any hostname is accepted by the server, often funnelled into the first-listed vhost of a set of name-based virtual hosts.  Lots of scanners flag this in combination with UseCanonicalName OFF (default) as a problem.

While it's easy for power users to rig a default vhost to catch these things, I think it would help usability to make it a first class directive/feature.

I am not sure if it's better to be something like a list of hostnames that
are VH idependent, or just a flag that says the hosts must match a ServerName/ServerAlias (pushing the handling down into vhost.c).

Probably need to think how an htaccess-only consumer could make use of it. I think this could have an effect on whether the config is always dependent on virtual hosts or not.

Could even be a authz provider that read a note set by vhost.c.
Comment 1 atten 2019-06-28 03:29:51 UTC
thank you very uch, i like your article, it can help me
Comment 2 Eric Covener 2020-02-17 14:19:54 UTC
StrictHostCheck committed long ago