On Jan 26, 2011, at 3:13 PM, valdis.kletni...@vt.edu wrote: > On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said: >> On Wed, 26 Jan 2011, Owen DeLong wrote: >> >>>> Listen a.b.c.d:80 -> Listen 80 >>>> <Virtualhost a.b.c.d:80> -> <Virtualhost *:80> >>>> >>> That only works if you have only one address on the machine and. >> >> Actually it works fine on machines with multiple IP addresses for both >> FreeBSD and CentOS. And IPv6 enabled servers can easily have multiple >> IPv6 addresses. > > What Owen meant was that if you expect it to answer *only* for a.b.c.d:80, > and *not* to answer for other addresses/interfaces, you may be in for a > surprise (consider a DMZ host where you have: > > outside world - 128.257.12.2 > inside facing - 192.168.149.149 > > VirtualHost 198.168.149.149:80 # super-sekrit corporate internal site > > Changing that VirtualHost to *:80 will probably cause some grief. ;)
Exactly... That is one of MANY examples of the kind of potential for abuse I was attempting to describe. Admittedly, if you put your Super-sekrit corporate internal site on a DMZ host, you arguably deserve what happens, but... Owen