-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dissallow access with no host requested #1743
Comments
I'm not sure if this is a cleaner way, but my solution was to put a fake entry at the top, in which was inspired by Why setup a "default blank SSL server" ? @ https://calomel.org/nginx.html listen: &listen80
port: 80
# fake/invalid cert
listen: &listen443_blank
port: 443
ssl:
<<: !file /etc/h2o/default_ssl.conf
certificate-file: /etc/ssl/h2o/blank.cert.pem
key-file: /etc/ssl/h2o/blank.key.pem
hosts:
"_:80":
listen: *listen80
paths: &paths_blank
"/":
- mruby.handler: |
acl {
deny { ! addr.start_with?("127.0.0.1") && ! addr.start_with?("::1") }
}
- file.dir: /var/whatever
"_:443":
listen: *listen443_blank
paths: *paths_blank
# The valid domains start from here |
@Csmk I have tried with your code and got a "Forbidden" error message displaying page in Google Chrome. Access log shown:
|
@proyb6 could you paste a snippets of your config? Well, "Forbidden" is the intended error if you haven't configured any valid domain. |
I have accessed using IP address. It worked as intended by using domain name. |
@Csmk Thanks, works fine... Still: If anybody has a simpler solutions, e.g. without mruby, I would like to know about it. |
I found a workaround, in my example above, remove the mruby part and point the |
I think a simple solution could be on firewall or iptables side? |
Thanks again, @Csmk . This looks like a reasonable approach to get away without mruby. @proyb6 A typical firewall like iptables just looks at the packets (from which IP, to which IP, which ports, which protocal), but does not look into the content of the HTTP traffic. With HTTPS it could not even look into the details, even if it wanted. Therefore, this does not seem like a workable solution. |
I have several hosts (domains) configured on my server. But sometimes someone (probably a bot) tries just the IP address. In this case, h2o seems to use the first configured host as default. How can I change this? My goal is for h2o to not respond to a request without a host name (or to answer with a 404).
Of course, I could do this with mruby... but I am sure there is a simpler/cleaner way, e.g. by configuring a fall-back behaviour if no host rule matches.
The text was updated successfully, but these errors were encountered: