On Monday, 23 August, 2021 10:19, "Karl Auer" <ka...@biplane.com.au> said:
> You could block inappropriate inbound requests, but not knowing what is > on the web servers makes that an infinite set of possibilities. So you > would really have to permit only appropriate inbound requests. On > anything but a trivial server the set of appropriate inbound requests > could be very, very large. Not to mention that rewrite rules and > suchlike could be blurring the difference between appropriate and > inappropriate on a web server where the configuration is possibly in > the hands of the bad guys. That's a good point - I was thinking solely in terms of the DNS-based / simple vhost stuff, where a client is requesting 'Host: www.badguys.com' from an IP address that "should" only be serving www.mystuff.com. www.mystuff.com/secret/content/here/badguys.com/ is the obvious and trivial workaround, I'm sure there are much more sophisticated ways to do it. But we may both be talking about the wrong thing until Pirawat confirms :) Regards, Tim.
