[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    [users@httpd]  Re: Apache httpd does not respect the HTTP RFCs   !
From:       Carsten Wiedmann <carsten_sttgt () gmx ! de>
Date:       2009-11-30 20:10:59
Message-ID: hf18si$bgp$1 () ger ! gmane ! org
[Download RAW message or body]

Andr=E9 Warnier schrieb:
> But is is interesting to see how in the end, a document such as RFC2616=

> which is meant to "specify" a relatively strict set of rules, and of
> which I am sure the phrasing is examined carefully and repeatedly (it
> being after all a revision of an earlier document on the same topic),
> still leaves areas open to interpretation, or downright inconsistent.
> What is for example, in this case, a hostname which is /invalid/ on thi=
s
> host ?
> If the request reached this host, then it must be that for the DNS
> system, the hostname resolved to one of this physical host's IP
> addresses.  In that sense, any HTTP request which reaches the host coul=
d
> be deemed to address a valid hostname.

Yes and no. It's always up to the server (or server admin) if it's accept=
ing
a given hostname or not. But if it's not accepting a hostname, it must
return a 400.

Well, there is no directive in Apache httpd to enable such strict hostnam=
e
tests and Apache is always accepting all hostnames and is routing this to=

the default (v)host. And that's the reason I'm always using the namebased=

vhosts from my last post. Even I normally only want have an ip-based vhos=
t
(or no vhosts at all).

BTW: If you want/must deal with IPs in the URIs, just add the IP for that=

vhost as ServerAlias to the first regular VirtualHost block.

Regarding DNS:
Well, a normal browser is asking a dns server for the IP, and then is
connecting to that IP and using the servername from the URI for the Host =
header.

Example:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
| telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.apache.org
|

That's what a normal browser is doing. Well, apache.org is also accepting=

all hostnames, and so the next example shows the same homapage:
URI: http://www.apache.org/ (nslookup: 192.87.106.226)
telnet 192.87.106.226 80
| GET / HTTP/1.1
| Host: www.microsoft.com
|

Well, I don't want that this happens on my servers, and with a namebased
vhost, a perl script and a rewriterule I have the behavior I want: an err=
or
400 in this case. Also Apache is now only accepting a defined
ServerName/ServerAlias, and not all requests which are possible with a
wildcard dns entry. But be careful with *.foo.com in ServerAlias.

Regards,
Carsten


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]