IP address pointing to Apache default index.html.
Also, I'm hosting my website in /srv/www. But I've noticed other computers that have hosted theirs in /var/www. Which is preferred? Does it matter?
1 Reply
It's technically feasible to make the server drop the connection as soon as it sees an unwanted Host header, though I don't know if Apache has a feature for it, or how easy it is to use. I wouldn't do it, though. It doesn't achieve anything except being confusing (and saving you a trivial amount of CPU).
The only other option is some sort of HTTP response, and Apache's default index.html seems like as good a response as any.
Although, now that I think of it, an HTTP redirect to your primary website might be nice too.
What security issue do you think this addresses, anyway? If you want to hide what web server you're using, well, more than 50% of web servers are Apache, so hiding that is pretty pointless. You can try to disguise the version by using some page other than the default index.html – say, a simple "Hello World", or the index.html from 10 years ago -- but that's probably unnecessary, and it's probably possible to identify the server in some other way anyway.
- Older clients might not include any Host header, in which case they'll always get the default website (i.e., no support for virtual hosting). Bothering to support them these days isn't worth it, though.**
** This is a technical quibble, but I believe HTTP/1.1 also supports a slightly different mechanism of specifying the host -- using "GET
@groffcole:
Also, I'm hosting my website in /srv/www. But I've noticed other computers that have hosted theirs in /var/www. Which is preferred? Does it matter?
I'd go with whatever your distro/web server picked by default. It doesn't matter, so I'd rather not risk angering some weird piece of software that cares for some stupid reason.