apache2 - security concern - no virtual host for specific domain - security

Can it be dangerous to let domains linked to your apache2 without virtualhost to catch them ? Is it possible to configure apache to reject unknown domains ?
ex: domain is not referenced in a virtual host, therefore when apache2 answer to it, it takes the first virtualhost referenced on the server.
the same way, when we enter the ip address of the server, the first VH is taken to answer to the request.

Generally I would not consider it "dangerous", it more comes down to how do you want your server to behave. Personally, unless there is a reason not to do so, I always block unknown domains.
Apache can reject undefined domains by simply putting "catch all" domain at the top of the virtual hosts configuration file (or, in case you are using multiple conf files, in the alphabetically first file), and configuring that domain to unconditionally respond with 403 (or you can configure any other respond you find suitable):
<VirtualHost *:80>
ServerName default
RewriteRule ^ - [F]
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
# ...
</VirtualHost>

Related

VirtualHost not redirecting

I am trying to redirect http://eamondev.com:3000 to https://omniatm.eamondev.com with a VirtualHost. I am using node to serve a site to http://eamondev.com:3000. I am using vhost with node like this:
app.use(vhost('omniatm.eamondev.com', express.static('/')));
I have never used vhost and it took me a while to figure this out without having to split up all my code like I was working with more than one site (when I am not), so I'm not sure if it is exactly how it should be for an Apache redirect to work.
In my apache conf file I have:
<VirtualHost *:80>
ServerName omniatm.eamondev.com
ProxyPreserveHost on
ProxyPass / http://localhost:3000/
</VirtualHost>
I am also using WHM on a VPS, I'm not sure if this is relevant or not, but the ServerName (with protocol, what I type into the browser) needs to be https://omniatm.eamondev.com.
I cannot serve node on port 80 of my server (and then redirect to subdomain) because my main site (http://eamondev.com) is running on port 80.
I have referenced most of the stackoverflow questions about this and nothing has worked. I should mention (although I'm not sure exactly how it is relevant, I just saw it in a stackoverflow question I looked at), my hosting support (bluehost) used WHM to set things up with a wildcard ssl certificate to make the omniatm.eamondev.com subdomain https.
How do I redirect http://eamondev.com:3000 to https://omniatm.eamondev.com using apache (or vhost)?
Proxy passing as given in the question will not do any redirects instead it will retain the URL as such and proxy the content from elsewhere. In Apache configuration, we have an option to do redirects, in the bellow sample, we are checking for the host and based on it issuing an redirect to the desired URL
<VirtualHost *:80>
ServerName omniatm.eamondev.com
Redirect / https://omniatm.eamondev.com
<If "%{HTTP_HOST} != 'eamondev.com:3000'">
Redirect "^/?(.*)" "https://omniatm.eamondev.com/$1"
</If>
</VirtualHost>

iptables drop host domain not in list

I would like to block any traffic that does not come for the websites hosted on my VPC.
My Server's IP address is 1.2.3.4 which hosts 3 websites.
Following requests should be allowed:
http:// example1.com or https:// www.example1.com
http:// example2.com/ or https:// www.example2.com
http:// example3.com/ or https:// www.example3.com
Following requests should be blocked (including server's IP address):
http: //1.2.3.4/ or https:// 1.2.3.4/
http:// anyotherdomain.com/ or https:// anyotherdomain.com/
List of allowed Host names could be read from a text file which I could update as and when required.
Is this feasible? If yes, what are the pros and cons. If not, thank you for the information.
Cheers
You can't do that in iptables as you would like to.
What you have aren't 3 real different hosts, but 3 virtual hosts: the main difference, as you already know, is that they share the same IP address.
As they share the same IP, kernel's netfilter just can't distinguish different requests from its layer: it's your web server application itself that "routes" the different requests to its proper website by looking at the "Host:" header inside the incoming HTTP packet and by determining which virtualhost should reply to it.
A good compromise (denying instead of dropping) for what you want to do would be to setup a configuration in your web server to make it catch and deny any connection that doesn't belong to your virtual hosts. Also there's no need to make a different list in this way, as your web server could dinamically determine if the requested host exists or not.
Here's an example, assuming you're running Apache, adding the catchall sentence to the top will make your server respond with a 403 message to any connection that won't be overridden by your examples.com websites:
<VirtualHost *:80>
ServerName catchall
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName example1.com
DocumentRoot /var/www/example1
<Directory /var/www/example1>
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
...
VirtualHost for example2.com (allowing all as above)
VirtualHost for example3.com (allowing all as above)
That's not the same as dropping right from the kernel of course, but it stops any further interation with your server aswell.

How to access to site by 2 address

I have a site now with address https://example.com/. How to make possible access to this site also by address https://example.com.html? What to write in htaccess?
What to write in htaccess?
Nothing special.
The question is not what to write but what to not write in .htaccess. And the answer is: do not write anything that links the site to one of its names (example.com or example.com.html). The same applies to the PHP source or configuration files.
The rest is just proper names registration, nameserver and Apache configuration.
Regarding the configuration of Apache, let's say the IP address of your web server is 1.2.3.4. The Apache configuration file (httpd.conf f.e.) now contains something similar to this:
<VirtualHost 1.2.3.4:80>
ServerName example.com
DocumentRoot "/www/docs/example.com"
# Other configuration directives for domain example.com
</VirtualHost>
In order to let Apache know the domain example.com.html is the same as example.com you can add a ServerAlias to the <VirtualHost> block:
<VirtualHost 1.2.3.4:80>
ServerName example.com
ServerAlias example.com.html
DocumentRoot "/www/docs/example.com"
# Other configuration directives for domain example.com
</VirtualHost>
Assuming you already have the name and the name servers are properly configured to point to your existing server, restart Apache and it should work.
Read more about <VirtualHost> and ServerAlias

Why use <VirtualHost> if you have only 1 domain name for the server ? But why can't "ServerAlias" be used w/o a <VirtualHost>

Okay so... i tried using
ServerName something.ooo
ServerAlias www.something.ooo
but it appears..
you can not use ServerAlias unless it is used within a
<VirtualHost *:80>
</VirtualHost>
Why is it like that?
What happens if the server is used only with 1 domain name and thus there is no need for "VIRTUAL" things. such as "VIRTUALHOSTS" ?
VirtualHost is designed to be used with multiple sites, however, when using an alias, Apache is assuming that you have example.com, and are wanting widget.example.com. With that said, just because it's only a www, does not mean that Apache doesn't see those as "separated" domains, thus needing a VirtualHost tag.
This is why you can use ServerName, but can't use ServerAlias without VirtualHost. WWW and non-www are separated domains.

Apache default virtual host for multiple domains

I have, for example site1.com, site2.com, configured with their own virtual hosts in their own files in the apaches enabled and available folders, in their own physical folders on the server and with different .htaccess and they are working fine. Now I want all the other domains that are not separately configured (for example site3.com, site4.com ....) to have one same virtual host, same physical folder, and to execute the same /folder1/folder2/index.php file. So far, I've made some virtual hosts but all I get is "It's working", probably because everything is redirected from the default virtual host to the /var/www. But if I set the DocumentRoot directive in that file, the .htaccess for some reason is not working, and I said that for the defined sites are working OK. What the virtual host file should be called, what should be it's content?
You can define a VirtualHost container that has as many ServerAlias entries as you need.
Here's a very simplified example:
<VirtualHost *>
ServerName site3.com
ServerAlias site4.com
DocumentRoot /var/www/folder1/folder2
</VirtualHost>
If you've already tried creating vhost files, have you restarted apache?
Where to put the vhost files depends on what distro you're using. If you're not familiar with where stuff goes on your distro, check http://wiki.apache.org/httpd/DistrosDefaultLayout.

Resources