|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Owen DeLong <owen@delong.com> In-Reply-To: <82273.1296083584@localhost> Date: Wed, 26 Jan 2011 16:49:33 -0800 To: Valdis.Kletnieks@vt.edu Cc: nanog@nanog.org Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org On Jan 26, 2011, at 3:13 PM, Valdis.Kletnieks@vt.edu wrote: > On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said: >> On Wed, 26 Jan 2011, Owen DeLong wrote: >> >>>> Listen a.b.c.d:80 -> Listen 80 >>>> <Virtualhost a.b.c.d:80> -> <Virtualhost *:80> >>>> >>> That only works if you have only one address on the machine and. >> >> Actually it works fine on machines with multiple IP addresses for both >> FreeBSD and CentOS. And IPv6 enabled servers can easily have multiple >> IPv6 addresses. > > What Owen meant was that if you expect it to answer *only* for a.b.c.d:80, > and *not* to answer for other addresses/interfaces, you may be in for a > surprise (consider a DMZ host where you have: > > outside world - 128.257.12.2 > inside facing - 192.168.149.149 > > VirtualHost 198.168.149.149:80 # super-sekrit corporate internal site > > Changing that VirtualHost to *:80 will probably cause some grief. ;) Exactly... That is one of MANY examples of the kind of potential for abuse I was attempting to describe. Admittedly, if you put your Super-sekrit corporate internal site on a DMZ host, you arguably deserve what happens, but... Owen
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |