Security of NameVirtualHost in regard to HTTP request forgery

problemofficer asked:

If I understand the concept of NameVirtualHost correctly it works by reading the Host variable of every HTTP request and matching it to a ServerName in any active VirtualHost directive with the matching interface and port. If it finds a matching ServerName the content of this VirtualHost is served to the client.

The Host variable can be easily forged by a client. So in the following configuration:

Listen 80
NameVirtualHost *:80

<VirtualHost *:80>
DocumentRoot /super/secret/files
ServerName localhost
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /var/www/webserver
ServerName www.example.org
</VirtualHost> 

a client could simply pass localhost as the value for Host and get access to the secret files. So you can’t rely on the ServerName and have to use the Order,Allow,Deny (OAD) directives.

  1. Are these assumptions correct?
  2. If I protect a VirtualHost example.org/phpmyadmin with OAD the user still gets the 403 Forbidden error. How would I configure apache to not even serve this VirtualHost on non localhost connections? A separate <NameVirtualHost localhost:80> maybe?

My answer:


The Host: header is only checked against VirtualHosts which are listening on the interface/IP address the request came in on. The wildcard means that the virtual host can be used for requests from any interface.

If you don’t want people to access the localhost virtual host, then specify its IP addresses explicitly, rather than allowing it to be served from all interfaces:

<VirtualHost 127.0.0.1:80 [::1]:80>
    ServerName localhost
    ....

P.S. You do need to specify the IPv6 address for localhost, as it is in use on any modern system, and is preferred over IPv4 by default.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.