БэФ블로그

Entries tagged as apache

Related tags

Saturday, May 9. 2009

VirtualDocumentRoot and ImaginaryProtection

Apache's mod_vhost_alias provides a neat little feature for easing up virtual host configurations:
This module creates dynamically configured virtual hosts, by allowing the IP address and/or the Host: header of the HTTP request to be used as part of the pathname to determine what files to serve.

Now suppose the following not so uncommon scenario: Two IP addresses share the same host - let's say 10.0.0.10 and 10.0.0.11. One IP is meant for production services, the other IP may be totally unrelated. However, both IPs are configured for named virtual hosts with overlapping wildcards and share the same VirtualDocumentRoot:




NamedVirtualHost 10.0.0.10:80
NamedVirtualHost 10.0.0.11:80

<VirtualHost 10.0.0.10:80>
        ServerName www.foo.bar
        ServerAlias *.foo.bar
        VirtualDocumentRoot /var/www/%0
</VirtualHost>
<VirtualHost 10.0.0.11:80>
        ServerName beta.foo.bar
        ServerAlias *.foo.bar
        VirtualDocumentRoot /var/www/%0
        <Location "/protected/">
                Order deny,allow
                Deny from all
        </Location>
</VirtualHost>
 

Our second virtualhost beta.foo.bar blocks access to /protected/ - the first virtualhost has no such protection. Let's check out beta's protection manually:




$ telnet 10.0.0.11 80
Trying 10.0.0.11...
Connected to 10.0.0.11.
Escape character is '^]'.
GET /protected/ HTTP/1.1
Host: beta.foo.bar

HTTP/1.1 403 Forbidden
Date: Sat, 09 May 2009 15:25:38 GMT
Server: Apache/2.2.11 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 290
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /protected/
on this server.</p>
<hr>
<address>Apache/2.2.11 (Ubuntu) Server at beta.foo.bar Port 80</address>
</body></html>
Connection closed by foreign host.
 


Now, just for fun, the very same request goes to the other IP:




# telnet 10.0.0.10 80
Trying 10.0.0.10...
Connected to 10.0.0.10.
Escape character is '^]'.
GET /protected/ HTTP/1.1
Host: beta.foo.bar

HTTP/1.1 200 OK
Date: Sat, 09 May 2009 15:23:22 GMT
Server: Apache/2.2.11 (Ubuntu)
Last-Modified: Sat, 09 May 2009 14:48:32 GMT
ETag: "e8127-1c-4697bd6c57000"
Accept-Ranges: bytes
Content-Length: 28
Vary: Accept-Encoding
Content-Type: text/html

secrets all over this page.
...and ponies.
Connection closed by foreign host.
 


Please, keep that in mind when rolling out VirtualDocumentRoots on more than one IP with overlapping wildcard hostnames.
Posted by
БэФ
in Security at 17:39 | Comments (0) | Trackbacks (0)
Defined tags for this entry: , ,
(Page 1 of 1, totaling 1 entries)

Calendar

Back September '10
Mo Tu We Th Fr Sa Su
Wednesday, September 8. 2010
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      

Quicksearch

Archives

Categories



All categories

Links

Syndicate This Blog

Choose Language