RE: [us...@httpd] Hardening Apache against attacks
Got an slowloris attack a while ago on my own server. I added a rule in iptables to limit numbers a single source IP could use. -- Emil -Original Message- From: Jason Nunnelley [mailto:ja...@jasonn.com] Sent: söndag den 24 oktober 2010 22:47 To: users@httpd.apache.org Subject: [us...@httpd] Hardening Apache against attacks I've done a few things already: blocked certain IP blocks, block know problematic user agents. I'm trying to collect a list of Apache and site hardening (.htaccess) methods. Please share your favorite. Jason N - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Hardening Apache against attacks
On 10/24/2010 3:47 PM, Jason Nunnelley wrote: I've done a few things already: blocked certain IP blocks, block know problematic user agents. I'm trying to collect a list of Apache and site hardening (.htaccess) methods. Please share your favorite. Allowing .htaccess is orthogonal to hardening httpd against exploits :) - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Hardening Apache against attacks
On Sun, October 24, 2010 22:47, Jason Nunnelley wrote: I've done a few things already: blocked certain IP blocks, block know problematic user agents. I'm trying to collect a list of Apache and site hardening (.htaccess) methods. Please share your favorite. Why .htaccess? Security tip #1 should be 'disable .htaccess'. Performance tip #1 too. There is a good book on Apache security: https://www.feistyduck.com/books/apache-security/ Joost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Clean shutdown on Windows
Hi, I am using: Server version: Apache/2.2.16 (Win32) Server built: Jul 30 2010 16:15:37 and also: mod_fcgid (2.4.6) I start Apache form console: httpd.exe -f my_httpd_conf_file.conf fcgid starts as expectedly my_fcgi.exe (written in C++) which performs the logic of my requests. The problem is that at shutdown, some more steps have to be performed by and my_fcgi.exe. When I press Ctrl-C in the cmd where Apache was started, Apache gets it and simply kills my my_fcgi.exe that was started. my_fcgi.exe also catches CTRL-C but at a random time during it's shutdown logic, it's killed by Apache. Is there a way to shutdown Apache properly in order to have a clean shutdown or an un-initialize of the underlying processes? Or, is there un-initialize handlers that modules like mod_fcgid have such that I can peoperly showdown my-fcgi.exe? Apache has to wait somehow until the Apache modules (mod_fcgi in this case) are un-initialized. Probably I don't implement something in the un-initialize process. Any hint are very appreciated. Thanks! -- MSc Gabriel Petrovay Mobile: +41(0)787978034 www.28msec.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Clean shutdown on Windows
On 10/25/2010 4:21 AM, Gabriel Petrovay wrote: Hi, I am using: Server version: Apache/2.2.16 (Win32) Server built: Jul 30 2010 16:15:37 and also: mod_fcgid (2.4.6) I start Apache form console: httpd.exe -f my_httpd_conf_file.conf fcgid starts as expectedly my_fcgi.exe (written in C++) which performs the logic of my requests. The problem is that at shutdown, some more steps have to be performed by and my_fcgi.exe. When I press Ctrl-C in the cmd where Apache was started, Apache gets it and simply kills my my_fcgi.exe that was started. my_fcgi.exe also catches CTRL-C but at a random time during it's shutdown logic, it's killed by Apache. Is there a way to shutdown Apache properly in order to have a clean shutdown or an un-initialize of the underlying processes? Or, is there un-initialize handlers that modules like mod_fcgid have such that I can peoperly showdown my-fcgi.exe? Apache has to wait somehow until the Apache modules (mod_fcgi in this case) are un-initialized. Probably I don't implement something in the un-initialize process. Any hint are very appreciated. Interesting question; the users list is unlikely to be the right place to raise it. I'd take your question to the dev@ list where a small handful of us watch mod_fcgid issues :) - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] missing $DESTDIR in HTTPD 2.2.17
On Mon, Oct 25, 2010 at 7:33 AM, Eugene eugene.lyse...@gmail.com wrote: Hello, I usual make packages of HTTPD by myself for my Solaris 10 systems. After successful compilation I do DESTDIR=$TMPDIR gmake install and then make a package from the temporary dir. This is missing from the apr-util bundled with httpd, but has been fixed in upstream apr-util. This was an oversight when rebasing the bundled expat on the upstream expat build, bu it was fixed after that release of APR. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: possible to add multiple locations for the document root
On 21/10/2010, e-letter inp...@gmail.com wrote: I tried to use the command 'Alias', to try and use the program phppgadmin which was extracted to /path/to/phppgadmin: DocumentRoot /var/www/html Alias /localhost/target /usr/local/phppgadmin/phppgadmin Directory /localhost/target Order allow,deny Allow from all /Directory After stopping and restarting the web server, when I navigate the web brower to 'http://localhost/target' I receive an error 404 page. In the phppgadmin directory there are various php pages, e.g. login.php: $ ls /usr/local/phppgadmin/phppgadmin/ aciur.jsgroups.php redirect.php aggregates.php help/ reports.php all_db.php help.phprobots.txt autocomplete.phpHISTORY roles.php browser.php history.php rules.php BUGSimages/ schemas.php casts.php indexes.js sequences.php classes/indexes.php servers.php colproperties.php index.php sql/ conf/ info.phpsqledit.php constraints.php INSTALL sql.php conversions.php intro.php tables.js CREDITS lang/ tablespaces.php database.phplanguages.php tables.php dataexport.php libraries/ tblproperties.php dataimport.php LICENSE themes/ dbexport.phplinks.jsTODO DEVELOPERS login.php TRANSLATORS display.php logout.php triggers.php domains.php multiactionform.js types.php FAQ opclasses.php users.php fulltext.phpoperators.php viewproperties.php functions.jsplugin_slony.phpviews.php functions.php privileges.php xloadtree/ What is my mistake please? I changed the alias to 'target' and tried to open the address 'localhost/target/login.php' As root I changed the permissions: ls -aod /usr/local/phppgadmin/ drwxr-xr-x 3 root 4096 2010-10-20 10:12 /usr/local/phppgadmin// ls -aod /usr/local/phppgadmin/phppgadmin/ drwxrwxrwx 11 root 4096 2010-10-20 10:12 /usr/local/phppgadmin/phppgadmin// I received an error that permission is denied: Access forbidden! You don't have permission to access the requested object. It is either read-protected or not readable by the server. If you think this is a server error, please contact the webmaster. Error 403 localhost mod-xslt/1.3.8 Apache/2.2.6 (Mandriva Linux/PREFORK-8.2mdv2008.0) What do I need to do now, please? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: possible to add multiple locations for the document root
On Mon, October 25, 2010 14:39, e-letter wrote: On 21/10/2010, e-letter inp...@gmail.com wrote: I tried to use the command 'Alias', to try and use the program phppgadmin which was extracted to /path/to/phppgadmin: There are some errors: Alias /localhost/target /usr/local/phppgadmin/phppgadmin Alias /target /usr/local/phppgadmin/phppgadmin Directory /localhost/target Directory /usr/local/phppgadmin/phppgadmin Order allow,deny Allow from all /Directory I received an error that permission is denied: What do I need to do now, please? Read the error log, it should give more details why this request was denied. Are you certain that you want everyone to have access to the pgadmin website? Joost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: possible to add multiple locations for the document root
On Oct 25, 2010, at 8:39 AM, e-letter wrote: I received an error that permission is denied: Access forbidden! You don't have permission to access the requested object. It is either read-protected or not readable by the server. This error message will be accompanied by an additional error message in the error_log, which will tell you either that it's because of file permissions (indicated by a (13) in the message) or configuration (indicated by ... by server configuration in the message) -- Rich Bowen rbo...@rcbowen.com http://drbacchus.com/
Re: [us...@httpd] Re: possible to add multiple locations for the document root
On 21/10/2010, e-letter inp...@gmail.com wrote: Alias /localhost/target /usr/local/phppgadmin/phppgadmin On 25.10.10 14:57, Joost de Heer wrote: Alias /target /usr/local/phppgadmin/phppgadmin Ehm... Alias /target/ /usr/local/phppgadmin/phppgadmin/ trailing slashes DO have a meaning. without them, the /target-test would get mapped to /usr/local/phppgadmin/phppgadmin-test no matter if the directory exists. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Basic authentication for a virtual/rewritten URL?
Sorry to interrupt you fine folks, I wasn't able to google up the answer to this. Is it possible to configure Apache to do basic authentication for a URL that doesn't correspond to a physical location in the filesystem (e.g. because it is rewritten to be served by CGI)? It appears that the authentication directives are only valid in Directory and htacces contexts, so I'm not able to password-protect a Location. On a filthy hunch I tried creating the directory in the filesystem that would correspond to the URL, and password-protecting that via a Directory configuration block, but that didn't work. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: possible to add multiple locations for the document root
I deliberately changed permission just to get the service working. Of course, security will need to be improved in future. :) Below is extract from the file '/etc/httpd/logs/error_log': [Mon Oct 25 12:35:59 2010] [notice] Apache/2.2.6 (Mandriva Linux/PREFORK-8.2mdv2008.0) PHP/5.2.4 with Suhosin-Patch mod_put/2.0.8 configured -- resuming normal operations [Mon Oct 25 13:30:59 2010] [error] [client 127.0.0.1] client denied by server configuration: /usr/local/phppgadmin/phppgadmin/login.php This doesn't explain anything to me. Advice please? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: possible to add multiple locations for the document root
On Oct 25, 2010, at 9:28 AM, e-letter wrote: I deliberately changed permission just to get the service working. Of course, security will need to be improved in future. :) Below is extract from the file '/etc/httpd/logs/error_log': [Mon Oct 25 12:35:59 2010] [notice] Apache/2.2.6 (Mandriva Linux/PREFORK-8.2mdv2008.0) PHP/5.2.4 with Suhosin-Patch mod_put/2.0.8 configured -- resuming normal operations [Mon Oct 25 13:30:59 2010] [error] [client 127.0.0.1] client denied by server configuration: /usr/local/phppgadmin/phppgadmin/login.php This doesn't explain anything to me. Advice please? Somewhere in your configuration you'll need: Directory /usr/local/phppgadmin/phppgadmin Order allow,deny Allow from all /Directory Based on what you sent earlier, I don't know if you have anything like this, but without it, you'll get the error message above. -- Rich Bowen rbo...@rcbowen.com http://drbacchus.com/
Re: [us...@httpd] Basic authentication for a virtual/rewritten URL?
Use Location instead of Directory Brian Hirt bh...@me.com On Oct 25, 2010, at 7:14 AM, Sacha Varma wrote: Sorry to interrupt you fine folks, I wasn't able to google up the answer to this. Is it possible to configure Apache to do basic authentication for a URL that doesn't correspond to a physical location in the filesystem (e.g. because it is rewritten to be served by CGI)? It appears that the authentication directives are only valid in Directory and htacces contexts, so I'm not able to password-protect a Location. On a filthy hunch I tried creating the directory in the filesystem that would correspond to the URL, and password-protecting that via a Directory configuration block, but that didn't work. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] missing $DESTDIR in HTTPD 2.2.17
On 25.10.2010 13:52, Eric Covener wrote: On Mon, Oct 25, 2010 at 7:33 AM, Eugeneeugene.lyse...@gmail.com wrote: Hello, I usual make packages of HTTPD by myself for my Solaris 10 systems. After successful compilation I do DESTDIR=$TMPDIR gmake install and then make a package from the temporary dir. This is missing from the apr-util bundled with httpd, but has been fixed in upstream apr-util. This was an oversight when rebasing the bundled expat on the upstream expat build, bu it was fixed after that release of APR. I guess this http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/xml/expat/Makefile.in?r1=1002622r2=1006134diff_format=h is the change that Eric refers to. Have fun, Rainer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: possible to add multiple locations for the document root
I had changed the alias to add a trailing stroke (/). I also tried both Directory /usr/local/phppgadmin/phppgadmin and Directory /target/ After each change I stopped and re-started httpd using drakxservices. The permissions error continues. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mixing dynamic and static virtual host definitions
On 10-10-23 09:33 AM, Eric Covener wrote: 1) if the new stanza is placed above the old one, then ALL traffic arriving at this server is directed to /home/drupal-commons/drupal_commons. 2) if the new stanza goes below the old, it is ignored entirely (this is what I expected). You need 1 NameVirtualHost *:80 to tell Apache to do name-based vhosts on those vhosts. Then keep the generic one listed first, so it will be the default for *:80. (You might have NameVirtualHost * in your debian conf, but it needs to be a literal match.) I have one NameVirtualHost *:80 which is in /etc/apache2/conf.d/ports.conf -- this is read before my site-specific conf stuff, I'm pretty sure. I guess I don't quite understand what you're recommending. Won't the generic stanza, which has dynamic matching: VirtualHost *:80 UseCanonicalNameOff VirtualDocumentRoot /var/www/%0 Options All RewriteEngine On RewriteRule ^/wp-uploads/(.*)$ /var/www/wp-uploads/%{HTTP_HOST}/$1 /VirtualHost pr-empt any later stanza? I thought that was the expected behaviour, and it explained to me why I have trouble when I put it first. But if the site-specific stanza for the new drupal stie goes first, VirtualHost *:80 DocumentRoot /home/drupal-commons/drupal_commons ServerName drupalsite.example.com /VirtualHost then it pre-empts everything (not what I expected, since I'm using ServerName, which I thought limited the application of this stanza to instances in which HTTP_HOST matches. ServerName.Is the problem perhaps with the globbing in the directive declaration? If so I don't see how to fix it, since I can't differentiate by IP (only one IP on this machine). Thanks again for all your help. Best, Matt - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mixing dynamic and static virtual host definitions
then it pre-empts everything (not what I expected, since I'm using ServerName, which I thought limited the application of this stanza to instances in which HTTP_HOST matches. ServerName. Whichever one you put first is the default, which is used when there's no matching ServerName/ServerAlias. The one where you left off ServerName/ServerAlias is only the default because it's first, not because it's not constrained to specific ServerNames -- it's actually unusuably when it's not first since it matches no server names. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: possible to add multiple locations for the document root
On Oct 25, 2010, at 11:02 AM, e-letter wrote: I had changed the alias to add a trailing stroke (/). I also tried both Directory /usr/local/phppgadmin/phppgadmin and Directory /target/ After each change I stopped and re-started httpd using drakxservices. Directory refers to an on-disk directory. In this case. /target/ is NOT, I understand, a directory in your filesystem, so the former of these is the correct one. However, did you happen to notice if the actual error message in the log changed to a file permissions ... rather than a ... by server configuration one? You need to watch the error log every time you make a change to your configuration to see if the error message changes. -- Rich Bowen rbo...@rcbowen.com http://drbacchus.com/
Re: [us...@httpd] mixing dynamic and static virtual host definitions
On 10-10-25 11:21 AM, Eric Covener wrote: then it pre-empts everything (not what I expected, since I'm using ServerName, which I thought limited the application of this stanza to instances in which HTTP_HOST matches. ServerName. Whichever one you put first is the default, which is used when there's no matching ServerName/ServerAlias. The one where you left off ServerName/ServerAlias is only the default because it's first, not because it's not constrained to specific ServerNames -- it's actually unusuably when it's not first since it matches no server names. ok, I'm trying to understand but I guess I don't quite get it. If I have a file like this: VirtualHost *:80 DocumentRoot /home/drupal-commons/drupal_commons ServerName tdhc.digitalcommons.ca /VirtualHost VirtualHost *:80 UseCanonicalNameOff VirtualDocumentRoot /var/www/%0 Options All ServerAdmin matt.pr...@utoronto.ca # Store uploads in /var/www/wp-uploads/$0 RewriteEngine On RewriteRule ^/wp-uploads/(.*)$ /var/www/wp-uploads/%{HTTP_HOST}/$1 /VirtualHost all traffic, no matter the HOST of the request, gets directed to /home/drupal-commons/drupal_commons. If I reverse the stanzas, no traffic ever gets directed there. Is there no possible ordering in which some traffic is matched by one of the stanzas, and some by another? And if not, is there a better trick to make that work? Thanks very much, Matt ps -- Not sure but I may have solved this by adding a ServerName * to the dynamic VirtualHost stanza. Is that bad practice? And may I ask what I should do to capture requests that come in without a HOST: header (that is, in which the request is made directly by IP)? I'd like to send those somewhere -- right now they go straight to tdhc.digitalcommons.ca, which I'd rather not have happen. Thanks again very much, Matt - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mixing dynamic and static virtual host definitions
On Oct 25, 2010, at 12:07 PM, Matt Price wrote: ok, I'm trying to understand but I guess I don't quite get it. If I have a file like this: VirtualHost *:80 DocumentRoot /home/drupal-commons/drupal_commons ServerName tdhc.digitalcommons.ca /VirtualHost VirtualHost *:80 UseCanonicalNameOff VirtualDocumentRoot /var/www/%0 Options All ServerAdmin matt.pr...@utoronto.ca # Store uploads in /var/www/wp-uploads/$0 RewriteEngine On RewriteRule ^/wp-uploads/(.*)$ /var/www/wp-uploads/%{HTTP_HOST}/$1 /VirtualHost all traffic, no matter the HOST of the request, gets directed to / home/drupal-commons/drupal_commons. If I reverse the stanzas, no traffic ever gets directed there. Is there no possible ordering in which some traffic is matched by one of the stanzas, and some by another? And if not, is there a better trick to make that work? Thanks very much, You second vhost lacks a ServerName directive. As such, all traffic goes to the first (default) virtual host. The solution is to put a ServerName (and possibly one or more ServerAlias directives) in the second VirtualHost. -- Rich Bowen rbo...@rcbowen.com http://drbacchus.com/
Re: [us...@httpd] mixing dynamic and static virtual host definitions
On 10-10-25 12:23 PM, Rich Bowen wrote: On Oct 25, 2010, at 12:07 PM, Matt Price wrote: The solution is to put a ServerName (and possibly one or more ServerAlias directives) in the second VirtualHost. thank you. Things seem to work now -- though I confess to being a bit surprised that ServerName * will work in this instance. And it would rbe nice to be able to specify a root location for requests without a HOST header. But that will doubtless come. Thanks so much! Matt - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mixing dynamic and static virtual host definitions
On Oct 25, 2010, at 2:12 PM, Matt Price wrote: On 10-10-25 12:23 PM, Rich Bowen wrote: On Oct 25, 2010, at 12:07 PM, Matt Price wrote: The solution is to put a ServerName (and possibly one or more ServerAlias directives) in the second VirtualHost. thank you. Things seem to work now -- though I confess to being a bit surprised that ServerName * will work in this instance. And it would rbe nice to be able to specify a root location for requests without a HOST header. But that will doubtless come. Thanks so much! The reason that ServerName * doesn't work is that the value of ServerName is used to generate self-referential URLs, for example when an internal redirect is generated. With * you'd end up with http://*/ redir.html which isn't valid. -- Rich Bowen rbo...@rcbowen.com http://drbacchus.com/