i...@protonmail.com writes:
> I would like to avoid httpd giving anything if a user types in the IP
> address of the server.
httpd.conf(5) says:
server name {...}
Match the server name using shell globbing rules. This can be an
explicit name, www.example.com, or a name including wildcards,
*.example.com.
>From that I would expect to be able to create server blocks enumerating
valid hostnames, name the last block "*", and specify a self-signed
certificate with a domain name of "invalid".
So I tried it:
server "example" {
listen on * port 80
listen on * tls port 443
tls certificate "/etc/ssl/example.crt"
tls key "/etc/ssl/private/example.key"
}
server "*" {
listen on * port 80
listen on * tls port 443
tls certificate "/etc/ssl/invalid.crt"
tls key "/etc/ssl/private/invalid.key"
block
}
Results:
- http://example/ displays index.html (expected)
- http://127.0.0.1/ displays 403 (expected)
- http://noexist/ displays 403 (expected)
- https://example/ displays index.html, cert for example (expected)
- https://127.0.0.1/ displays 403, cert for example (unexpected)
- https://noexist/ displays 403, cert for example (unexpected)
Is that a bug?
I can "force" the desired behavior by duplicating the invalid block
to mention that certificate first. But it doesn't seem like that
should be necessary.
server "invalid" {
listen on * tls port 443
tls certificate "/etc/ssl/invalid.crt"
tls key "/etc/ssl/private/invalid.key"
block
}
server "example" {
listen on * port 80
listen on * tls port 443
tls certificate "/etc/ssl/example.crt"
tls key "/etc/ssl/private/example.key"
}
server "*" {
listen on * port 80
listen on * tls port 443
tls certificate "/etc/ssl/invalid.crt"
tls key "/etc/ssl/private/invalid.key"
block
}
- http://example/ displays index.html
- http://127.0.0.1/ displays 403
- http://noexist/ displays 403
- https://example/ displays index.html, cert for example
- https://127.0.0.1/ displays 403, cert for invalid
- https://noexist/ displays 403, cert for invalid
