15

In apache2 by design, any http request with an unknown Host will be directed to the first loaded VirtualHost. Is there a way to disable this feature? Said differently, I want to have a web server where the user may only get to explicitly named VirtualHost definitions. Any other hostname not explicitly mentioned in a ServerName or ServerAlias line should be silently ignored.

Is this possible?

Listen 80
NameVirtualHost *

<VirtualHost _default_:*>
# Anything matching this host should be silently ignored.
</VirtualHost>

<VirtualHost *>
DocumentRoot /www/example1
ServerName www.example.com
</VirtualHost>

<VirtualHost *>
DocumentRoot /www/example2
ServerName www.example.org
</VirtualHost>

Update: As suggested below and elsewhere, silently ignoring a request might not be a good idea and perhaps breaks the RFC's for HTTP. However, since virtual hosts are designed to simulate have multiple separate physical HTTP servers, the silent ignore approach does not seem unreasonable to me. It would be the same as IP-based virtual hosting and firewalling off some of the IPs (perhaps not for all clients).

Harvey
  • 253

5 Answers5

26

Here is an alternate way that does not involve rewrite rules:

<VirtualHost _default_:*>
    <Location />
        Deny from all
        Options None
        ErrorDocument 403 Forbidden.
    </Location>
</VirtualHost>
atomsmith
  • 361
6

I'm not sure that "silently failing" is a good idea. You should give the client at least some indication of what happened. Perhaps you could send an http 410 "gone" error. Something like this should do the trick:

RewriteRule ^.*$ - [G]

In addition, you should be able to specify a custom 410 error document, which could just be a blank html page.

EEAA
  • 110,608
1

this worked for me

<VirtualHost x.x.x.x:80 [x:x::x:x:x:x]:80>
  ServerName myactualservername.com
  ServerAlias *
  <Location />
    Deny from all
    Options None
    ErrorDocument 403 Forbidden.
  </Location>
</VirtualHost>

replace x.x.x.x with your actual ipv4 and ipv6
replace myactualservername.com with an actual website served by the machine

i'm using name based virtual host.
credit for this solution goes to
https://serverfault.com/a/82309/459796

Yashesh Bhatia
  • 21
0

I tried all the other answers listed here, and they were inefective at preventing requests via IP.

Instead, I opted to deny everything by default (Require all denied and nothing else as your default security model) and white-listing domains explicitly

<VirtualHost my.domain.com:443>
SkyNT
  • 101
0

I'm hosting multiple virtual sites and as you said, I also don't want any response on IP's I don't have an actual site on. I changed my /etc/apache2/ports.conf file by commenting out the existing Listen on 80 and 443 ports and now ONLY listen on the ip's and ports desired. (As a precaution, I commented out what existed prior to my change so I can easily revert if I find an issue with this)

#commented out the Listen 80 not associated with a specific IP
#Listen 80

repeated the Listen for port 80 and 443 for each site I'm hosting.


Listen xxx.xxx.xxx.xxx:80
Listen xxx.xxx.xxx.xxx:443


#commented out the Listen 443 not associated with a specific IP
#<IfModule ssl_module>


Listen 443


#</IfModule>


#<IfModule mod_gnutls.c>


Listen 443


#</IfModule>
cs1
  • 1