15

In apache2 by design, any http request with an unknown Host will be directed to the first loaded VirtualHost. Is there a way to disable this feature? Said differently, I want to have a web server where the user may only get to explicitly named VirtualHost definitions. Any other hostname not explicitly mentioned in a ServerName or ServerAlias line should be silently ignored.

Is this possible?

Listen 80 NameVirtualHost * <VirtualHost _default_:*> # Anything matching this host should be silently ignored. </VirtualHost> <VirtualHost *> DocumentRoot /www/example1 ServerName www.example.com </VirtualHost> <VirtualHost *> DocumentRoot /www/example2 ServerName www.example.org </VirtualHost>

Update: As suggested below and elsewhere, silently ignoring a request might not be a good idea and perhaps breaks the RFC's for HTTP. However, since virtual hosts are designed to simulate have multiple separate physical HTTP servers, the silent ignore approach does not seem unreasonable to me. It would be the same as IP-based virtual hosting and firewalling off some of the IPs (perhaps not for all clients).

Improve this question

5 Answers 5

Reset to default
6

I'm not sure that "silently failing" is a good idea. You should give the client at least some indication of what happened. Perhaps you could send an http 410 "gone" error. Something like this should do the trick:

RewriteRule ^.*$ - [G]

In addition, you should be able to specify a custom 410 error document, which could just be a blank html page.

Improve this answer
2
  • I ended up discovering this solution on my own as well. You should add lines for loading mod_rewrite and "RewriteEngine On" noting that they may not be necessary. They were for me. :) Commented Feb 20, 2010 at 16:48
  • 2
    Also, since we're just saying Gone or Forbidden and more importantly, the "-" prevents substitution, the regex can be much simpler: RewriteRule . - [F] Commented Feb 20, 2010 at 16:53
26

Here is an alternate way that does not involve rewrite rules:

<VirtualHost _default_:*> <Location /> Deny from all Options None ErrorDocument 403 Forbidden. </Location> </VirtualHost>
Improve this answer
5
  • 2
    This should be the accepted solution. +1 Commented Jan 2, 2017 at 2:31
  • 1
    I'm not clear on this solution. I have several VHOST files and do I just make a new one with this in it? I tried that, and I named the file 001.default.conf but I still have re-directing of my subdomains happening. Commented Jan 20, 2018 at 20:01
  • 1
    @Frantumn As noted in the question, "any http request with an unknown Host will be directed to the first loaded VirtualHost". This "default" <VirtualHost> must therefore be defined first in the server config. Precisely which file that must be in is dependent on your config. (However, your "redirected subdomains" issue could be an unrelated problem.) Commented Jun 2, 2018 at 0:15
  • 2
    Huh. When using other domains that point to my server, it does not do the 403, it just picks the first virtualhost it finds, even though the servername is not a match Commented Jun 1, 2019 at 18:56
  • Doesn't work for me. Commented Oct 29, 2021 at 14:56
1

this worked for me

<VirtualHost x.x.x.x:80 [x:x::x:x:x:x]:80> ServerName myactualservername.com ServerAlias * <Location /> Deny from all Options None ErrorDocument 403 Forbidden. </Location> </VirtualHost>

replace x.x.x.x with your actual ipv4 and ipv6
replace myactualservername.com with an actual website served by the machine

i'm using name based virtual host.
credit for this solution goes to
https://serverfault.com/a/82309/459796

Improve this answer
0

I tried all the other answers listed here, and they were inefective at preventing requests via IP.

Instead, I opted to deny everything by default (Require all denied and nothing else as your default security model) and white-listing domains explicitly

<VirtualHost my.domain.com:443>
Improve this answer
0

I'm hosting multiple virtual sites and as you said, I also don't want any response on IP's I don't have an actual site on. I changed my /etc/apache2/ports.conf file by commenting out the existing Listen on 80 and 443 ports and now ONLY listen on the ip's and ports desired. (As a precaution, I commented out what existed prior to my change so I can easily revert if I find an issue with this)

#commented out the Listen 80 not associated with a specific IP #Listen 80 # repeated the Listen for port 80 and 443 for each site I'm hosting. Listen xxx.xxx.xxx.xxx:80 Listen xxx.xxx.xxx.xxx:443 #commented out the Listen 443 not associated with a specific IP #<IfModule ssl_module> # Listen 443 #</IfModule> #<IfModule mod_gnutls.c> # Listen 443 #</IfModule>
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.