Hello,
Is there any way to turn off the option "Default website for IP address" when there is only one virtual server for a given IP? (the entry in "Website options" is fixed on "yes" with no way to turn it off)
If possible I would like to configure Apache so it doesn't respond to requests when the host name doesn't match the "ServerName" defined in the conf.
The reason is that I'm experiencing a strange behavior: when a request comes in without host name, Apache lists an error in the log for this virtual host:
client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
But I'm running Mod_Security with a rule that is supposed to blacklist any IP requesting "w00tw00t" to get rid of the probe.
The rule works as expected if the request comes with a host name, but Mod_Security seems not to see the request when it comes in via the default way, as if the virtual server's conf directives were not being taken into account when the host name is missing, but the request is handled by it inspite of this, just because it's the only one with that IP ...
Howdy,
I unfortunately don't know of a way to do exactly what you're asking... Apache seems to come hard-coded to offer up the first website that shows up in it's config if there isn't a host header set.
Two ways around that are:
You could always just create a new "dummy" Virtual Server, and set it as the default. Don't put anything in there except a blank .html page.
You could setup mod_rewrite to look for the HTTP_HOST header, and if it's not set, you could set the request to fail.
-Eric
Hello Eric,
I'll try your first suggestion: maybe if I have a default block with all the IPs, then anything where the host name is missing or doesn't match will go to that one (since it would be listed before the real virtual host).
I was thinking of modifying the sites-available/default:
now it starts with
If I replace that with etc. and added all the ips, then it should catch those when they don't match the servername in their regular virtualhost block, no?
The puzzling thing about is that Mod-security is already set up to block requests without host header, but somehow Apache isn't passing those requests to Mod-security at all, even though the Mod-security rules are set for phase 1 where they are supposed to be seen even when Apache gives an error ...
I've never tried what you suggested before, so I'm not sure if that'll do what you need or not... unless someone else happens to chime in, you'll probably need to experiment a bit with that :-)
As far as your mod_security issue goes... mod_security really should be seeing every incoming request. So it's odd that it's not working for you in some circumstances.
-Eric
Hi Eric,
I tried it, and this seems to work ok (in case it's of any use to others):
in Apache's conf file (for Ubuntu that's /etc/apache2/apache2.conf), one has the IPs of the virtual servers :
NameVirtualHost 178.1.1.1:80
NameVirtualHost 178.1.1.2:80 etc.
Each virtual site's has a conf file in /etc/apache2/sites-available/ and a symbolic link to that file in /etc/apache2/sites-enabled:
ServerName somesite.com ServerAlias www.somesite.com /home/somesite/public_html .....
ServerName secondsite.com ServerAlias www.ssecondsite.com /home/secondsite/public_html .....
When Apache gets a request with a hostname that matches one of the servernames or serveraliases it gets sent to that virtual server, but when there is a request without hostname or with an invalid hostname, it goes to whichever virtual server is listed first alphabetically, in the /etc/apache2/sites-enabled directory.
So one can create a sort of "catch-all" virtual server to collect all these hack-attempts by making sure it's first alphabetically (for example, call the symbolic link to it /etc/apache2/sites-enabled/001_catch and listing all the available IPs in its virtualhost block: ServerName nosite.com DocumentRoot /var/www
Looking at the Apache access and error logs, I can see that the scanning probes that don't give a host name now go into the directory of the catch-all server where one can therefore use very conservative settings and just put a simple index.html where they cannot access anything sensitive.
its actually a quite simple setting in virtualmin to choose the default:
"
The domain that is displayed when you go to the IP address of your server is the default domain... the first one that shows up in Apache.
You can specify which domain is the default by selecting the domain from the drop-down on the top-left, then going into Server Configuration -> Website options, and setting "Default website for IP address" to "Yes".
-Eric
"
http://www.virtualmin.com/node/15576#comment-68306
Thanks Eric. Was looking for this for a while. I was looking with the keywords: default domain, default virtualmin domain or default dns :)