0

I was wondering if I would be able to harden my Apache configuration in such a way it would only respond to one of it's actual vhost configuration (e.g. https://myhost.example.com/) and make it unresponsive to anything but that.

Currently every connection based on IP-address made to the webserver will actually respond with the vhost SSL-certificate (or a dummy), which is of course total nonsense.

Though, every site I tested (e.g. https://192.168.0.1:8443/) will respond. Sometimes (in production online) with a default apache page, others with the actual website (depending on their actual config).

Looking at the manual https://httpd.apache.org/docs/2.4/bind.html there seems no way to configure it.

My current demo config:

Listen 192.168.0.1:8443 https
Listen [fe80::1]:8443 https

<VirtualHost myhost.example.com:8443>
    DocumentRoot "/www/myhost.example.com"
    ServerName myhost.example.com
</VirtualHost>

If it is actually possible in another webserver or with some firewall-configuration or so, that would also be of great interest.

William Jozef
  • 53
  • 1
  • 4
  • You don't connect to a vhost, you connect to an IP address and then say what vhost you want. So it's not possible to do what you want. – wurtel Aug 06 '19 at 13:00
  • 1
    I am not into apache very much, but can't you create a default vHost which might return 404 and a _dummy_ certificate? By doing so you at least could masquerade the SNI your server is lo listen for. – Kevin K. Aug 06 '19 at 13:27
  • 1
    Otherwise you could load the [xt_tls extension for netfilter/IPtables from GitHub](https://github.com/Lochnair/xt_tls) and have your iptables allow _myhost.example.com_ as an SNI first and block all other SNI coming in on your IPs. – Kevin K. Aug 06 '19 at 13:30

0 Answers0