If I understand the concept of NameVirtualHost correctly it works by reading the Host variable of every HTTP request and matching it to a
ServerName in any active VirtualHost directive with the matching interface and port. If it finds a matching
ServerName the content of this VirtualHost is served to the client.
The Host variable can be easily forged by a client. So in the following configuration:
Listen 80 NameVirtualHost *:80 <VirtualHost *:80> DocumentRoot /super/secret/files ServerName localhost </VirtualHost> <VirtualHost *:80> DocumentRoot /var/www/webserver ServerName www.example.org </VirtualHost>
a client could simply pass
localhost as the value for Host and get access to the secret files. So you can’t rely on the
ServerName and have to use the
Deny (OAD) directives.
- Are these assumptions correct?
- If I protect a VirtualHost
example.org/phpmyadminwith OAD the user still gets the
403 Forbiddenerror. How would I configure apache to not even serve this VirtualHost on non localhost connections? A separate
Host: header is only checked against
VirtualHosts which are listening on the interface/IP address the request came in on. The wildcard means that the virtual host can be used for requests from any interface.
If you don’t want people to access the
localhost virtual host, then specify its IP addresses explicitly, rather than allowing it to be served from all interfaces:
<VirtualHost 127.0.0.1:80 [::1]:80> ServerName localhost ....
P.S. You do need to specify the IPv6 address for localhost, as it is in use on any modern system, and is preferred over IPv4 by default.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.