How to close a connection if the requested host isn't a virtual host in apache

Question

On my web server I have a bunch of websites defined using VirtualHosts. Currently if I request a website from my webserver that is not defined as a virtual host, I will get back the first virtual host in the list.

I would like to make it so that any requests that ask for a website not defined in a virtual host will just close the connection, both for HTTP and HTTPS. I imagine this will involve creating default and default-ssl virtual hosts but I am unsure what exactly to put in them.

This is doable in nginx. I think the best you can do in Apache is serve them a 404 or a test page. — Michael Hampton, Dec 03 '13 at 07:31

score 1 · Accepted Answer · edited Apr 13 '17 at 12:14

1

Use mod_security to make a 'drop' action rule for any request coming by. This closes the session by sending a FIN packet to the client.

Place your rule in the _default_ virtual host in Apache, which is described here and here.

edited Apr 13 '17 at 12:14

Community

1

answered Dec 03 '13 at 21:45

ErikE

4,676
1
19
25

score -1 · Answer 2 · edited Apr 13 '17 at 12:37

-1

Just serve dummy site as the first virtual host with dummy content but why? maybe it is not exactly you want.

If you really want to close the connection, try iptables. it can control real connection on kernel level before apache get it.

check here: https://unix.stackexchange.com/questions/28851/iptables-to-block-https-websites

edited Apr 13 '17 at 12:37

Community

1

answered Dec 03 '13 at 08:59

sio4

264
2
10

oops! I assumed your web server is linux based server. check similar solution for your system. – sio4 Dec 03 '13 at 09:05
iptables cannot discern between different domains used to reach the site, which is essential for what was asked here: dropping connection for the default virtual host (with the implication that other virtual hosts do still work, as otherwise the default host part would be irrelevant) – Jasper Nov 14 '20 at 14:55
@Jasper, thanks for the comment. However, your comment is not correct. Please check manual page `iptables-extensions` and search `string`. There are good examples working with string match such as logging HTTP request for specific URL. – sio4 Nov 21 '20 at 13:28
To test this `string` extension, try following rule from your Linux box. If you run this command, you cannot connect to `example.com`. (except existing session) `sudo iptables -I INPUT -m string --string example.com --algo bm -j REJECT` – sio4 Nov 21 '20 at 13:30

How to close a connection if the requested host isn't a virtual host in apache

2 Answers2

Linked

Related