Dissallow access with no host requested

[utrenkner]

I have several hosts (domains) configured on my server. But sometimes someone (probably a bot) tries just the IP address. In this case, h2o seems to use the first configured host as default. How can I change this? My goal is for h2o to not respond to a request without a host name (or to answer with a 404).

Of course, I could do this with mruby... but I am sure there is a simpler/cleaner way, e.g. by configuring a fall-back behaviour if no host rule matches.

[ghost]

I'm not sure if this is a cleaner way, but my solution was to put a fake entry at the top, in which was inspired by Why setup a "default blank SSL server" ? @ https://calomel.org/nginx.html

listen: &listen80
  port: 80

# fake/invalid cert
listen: &listen443_blank
  port: 443
  ssl:
    <<: !file /etc/h2o/default_ssl.conf
    certificate-file: /etc/ssl/h2o/blank.cert.pem
    key-file: /etc/ssl/h2o/blank.key.pem

hosts:
  "_:80":
    listen: *listen80
    paths: &paths_blank
      "/":
        - mruby.handler: |
            acl {
              deny { ! addr.start_with?("127.0.0.1") && ! addr.start_with?("::1") }
            }
        - file.dir: /var/whatever

  "_:443":
    listen: *listen443_blank
    paths: *paths_blank

# The valid domains start from here

[proyb6]

@Csmk I have tried with your code and got a "Forbidden" error message displaying page in Google Chrome.

Access log shown:

123.123.123.123 - - [27/Apr/2018:12:59:00 +0000] "GET / HTTP/2" 403 9 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

[ghost]

@proyb6 could you paste a snippets of your config?

Well, "Forbidden" is the intended error if you haven't configured any valid domain.

[proyb6]

I have accessed using IP address. It worked as intended by using domain name.

[utrenkner]

@Csmk Thanks, works fine... Still: If anybody has a simpler solutions, e.g. without mruby, I would like to know about it.

[ghost]

If anybody has a simpler solutions, e.g. without mruby

I found a workaround, in my example above, remove the mruby part and point the file.dir: to an empty directory in which the user running H2O doesn't have access. H2O's response will be 403.

[proyb6]

I think a simple solution could be on firewall or iptables side?

[utrenkner]

Thanks again, @Csmk . This looks like a reasonable approach to get away without mruby.

@proyb6 A typical firewall like iptables just looks at the packets (from which IP, to which IP, which ports, which protocal), but does not look into the content of the HTTP traffic. With HTTPS it could not even look into the details, even if it wanted. Therefore, this does not seem like a workable solution.