13

In apache2 by design, any http request with an unknown Host will be directed to the first loaded VirtualHost. Is there a way to disable this feature? Said differently, I want to have a web server where the user may only get to explicitly named VirtualHost definitions. Any other hostname not explicitly mentioned in a ServerName or ServerAlias line should be silently ignored.

Is this possible?

Listen 80
NameVirtualHost *

<VirtualHost _default_:*>
# Anything matching this host should be silently ignored.
</VirtualHost>

<VirtualHost *>
DocumentRoot /www/example1
ServerName www.example.com
</VirtualHost>

<VirtualHost *>
DocumentRoot /www/example2
ServerName www.example.org
</VirtualHost>

Update: As suggested below and elsewhere, silently ignoring a request might not be a good idea and perhaps breaks the RFC's for HTTP. However, since virtual hosts are designed to simulate have multiple separate physical HTTP servers, the silent ignore approach does not seem unreasonable to me. It would be the same as IP-based virtual hosting and firewalling off some of the IPs (perhaps not for all clients).

Harvey
  • 233
  • 1
  • 2
  • 6

4 Answers4

23

Here is an alternate way that does not involve rewrite rules:

<VirtualHost _default_:*>
    <Location />
        Deny from all
        Options None
        ErrorDocument 403 Forbidden.
    </Location>
</VirtualHost>
atomsmith
  • 331
  • 2
  • 2
  • 2
    This should be the accepted solution. +1 – Greg Schmit Jan 02 '17 at 02:31
  • 1
    I'm not clear on this solution. I have several VHOST files and do I just make a new one with this in it? I tried that, and I named the file 001.default.conf but I still have re-directing of my subdomains happening. – Frantumn Jan 20 '18 at 20:01
  • 1
    @Frantumn As noted in the question, "any http request with an unknown Host will be directed to the **first loaded VirtualHost**". This "default" `` must therefore be defined _first_ in the server config. Precisely which file that must be in is dependent on your config. (However, your "redirected subdomains" issue could be an unrelated problem.) – MrWhite Jun 02 '18 at 00:15
  • 2
    Huh. When using other domains that point to my server, it does not do the 403, it just picks the first virtualhost it finds, even though the servername is not a match – jjxtra Jun 01 '19 at 18:56
  • Doesn't work for me. – BjornW Oct 29 '21 at 14:56
5

I'm not sure that "silently failing" is a good idea. You should give the client at least some indication of what happened. Perhaps you could send an http 410 "gone" error. Something like this should do the trick:

RewriteRule ^.*$ - [G]

In addition, you should be able to specify a custom 410 error document, which could just be a blank html page.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • I ended up discovering this solution on my own as well. You should add lines for loading mod_rewrite and "RewriteEngine On" noting that they may not be necessary. They were for me. :) – Harvey Feb 20 '10 at 16:48
  • 2
    Also, since we're just saying Gone or Forbidden and more importantly, the "-" prevents substitution, the regex can be much simpler: `RewriteRule . - [F]` – Harvey Feb 20 '10 at 16:53
1

this worked for me

<VirtualHost x.x.x.x:80 [x:x::x:x:x:x]:80>
  ServerName myactualservername.com
  ServerAlias *
  <Location />
    Deny from all
    Options None
    ErrorDocument 403 Forbidden.
  </Location>
</VirtualHost>

replace x.x.x.x with your actual ipv4 and ipv6
replace myactualservername.com with an actual website served by the machine

i'm using name based virtual host.
credit for this solution goes to
https://serverfault.com/a/82309/459796

Yashesh Bhatia
  • 21
  • 5
0

I tried all the other answers listed here, and they were inefective at preventing requests via IP.

Instead, I opted to deny everything by default (Require all denied and nothing else as your default security model) and white-listing domains explicitly

<VirtualHost my.domain.com:443>
SkyNT
  • 101