Bug #1319

simple-vhost.default-host and invalid hostnames

Added by Safari over 12 years ago. Updated over 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Shouldn't simple-vhost.default-host be used only when
request is HTTP1.0 and Request-URI is not an absoluteURI, i.e. does not contain ?

If vhost directory does not exist, lighttpd should return error 400.
Now it attempts to fetch a file from the default_host directory instead.

Also, another bug:
If I do:
Host: bar.qux

Host: header should be ignored (1. below), but instead,
lighttpd says:
request.c.445: (trace) Host header is duplicate (Status: 400)
An origin server that does differentiate resources based on the host requested (sometimes referred to as virtual hosts or vanity host names) MUST use the following rules for determining the requested resource on an HTTP/1.1 request:

1. If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored.

2. If the Request-URI is not an absoluteURI, and the request includes a Host header field, the host is determined by the Host header field value.

3. If the host as determined by rule 1 or 2 is not a valid host on the server, the response MUST be a 400 (Bad Request) error message.


lighttpd-svn-400-error-for-bad-host.patch (3.78 KB) lighttpd-svn-400-error-for-bad-host.patch crude patch to give 400 error on bad Host Safari, 2008-03-02 20:32

Updated by gstrauss over 3 years ago

  • Description updated (diff)
  • Status changed from New to Invalid
  • Assignee deleted (jan)

Similar to how the main server will serve requests for any Host that reaches the server (unless a more specific vhost handles the request), mod_simple_vhost provides for a default document root if one is not configured. (You might reasonably suggest that lighttpd should not apply a default vhost unless explicitly configured.)

As to your other "bug", an updated RFC dictates lighttpd behavior is correct to send 400 upon Host mismatch:

   A client MUST send a Host header field in all HTTP/1.1 request
   messages.  If the target URI includes an authority component, then a
   client MUST send a field-value for Host that is identical to that
   authority component, excluding any userinfo subcomponent and its "@" 
   delimiter (Section 2.7.1).

Also available in: Atom