Bug 61328 - provide straightforward option to only respond on configured hostnames
Summary: provide straightforward option to only respond on configured hostnames
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-22 16:54 UTC by Eric Covener
Modified: 2017-07-22 16:54 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Covener 2017-07-22 16:54:16 UTC
Currently, any hostname is accepted by the server, often funnelled into the first-listed vhost of a set of name-based virtual hosts.  Lots of scanners flag this in combination with UseCanonicalName OFF (default) as a problem.

While it's easy for power users to rig a default vhost to catch these things, I think it would help usability to make it a first class directive/feature.

I am not sure if it's better to be something like a list of hostnames that
are VH idependent, or just a flag that says the hosts must match a ServerName/ServerAlias (pushing the handling down into vhost.c).

Probably need to think how an htaccess-only consumer could make use of it. I think this could have an effect on whether the config is always dependent on virtual hosts or not.

Could even be a authz provider that read a note set by vhost.c.