Bug 56395 - Allow SERVER_ADDR environment variable to be optionally undisclosed
Summary: Allow SERVER_ADDR environment variable to be optionally undisclosed
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2014-04-11 18:26 UTC by Andre Nathan
Modified: 2022-02-25 17:51 UTC (History)
0 users



Attachments
Allow SERVER_ADDR to be undisclosed via a core directive (3.05 KB, patch)
2014-04-11 18:26 UTC, Andre Nathan
Details | Diff
Allow SERVER_ADDR to be undisclosed via an environment variable (741 bytes, patch)
2014-04-11 18:27 UTC, Andre Nathan
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andre Nathan 2014-04-11 18:26:44 UTC
Created attachment 31516 [details]
Allow SERVER_ADDR to be undisclosed via a core directive

It may be useful to not disclose the web server's IP address to scripts running on the server. My use case for this is to aid in protection agains DDoS attacks, where a website's DNS zone is set up such that the server address is not published in a "guessable" way (eg. by pointing to a CDN provider and using a random DNS entry for sync'ing between the CDN and the server).

The attached patches implement this. The first one does that via a code configuration directive. In that case, if the user sets "ExportServerAddr Off", then the SERVER_ADDR environment variable will not be passed to scripts.

The second patch does the same, but using environment variables instead. In that case the user has to set "PassEnv HIDE_SERVER_ADDR" and then define this variable in the shell (eg. export HIDE_SERVER_ADDR=1). To revert to the default behavior, one only has to unset the variable (eg. unset HIDE_SERVER_ADDR).
Comment 1 Andre Nathan 2014-04-11 18:27:25 UTC
Created attachment 31517 [details]
Allow SERVER_ADDR to be undisclosed via an environment variable
Comment 2 Andre Nathan 2022-02-25 17:51:11 UTC
These patches are not necessary since 2.4.26, where ProxyFCGISetEnvIf can be used to override common environment variables.