simple-vhost.default-host and invalid hostnames
Shouldn't simple-vhost.default-host be used only when
request is HTTP1.0 and Request-URI is not an absoluteURI, i.e. does not contain http://host.name ?
If vhost directory does not exist, lighttpd should return error 400.
Now it attempts to fetch a file from the default_host directory instead.
Also, another bug:
If I do:
GET http://foo.bar/qux HTTP/1.1
Host: header should be ignored (1. below), but instead,
request.c.445: (trace) Host header is duplicate (Status: 400)
An origin server that does differentiate resources based on the host requested (sometimes referred to as virtual hosts or vanity host names) MUST use the following rules for determining the requested resource on an HTTP/1.1 request:
1. If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored.
2. If the Request-URI is not an absoluteURI, and the request includes a Host header field, the host is determined by the Host header field value.
3. If the host as determined by rule 1 or 2 is not a valid host on the server, the response MUST be a 400 (Bad Request) error message.
Updated by gstrauss about 3 years ago
- Description updated (diff)
- Status changed from New to Invalid
- Assignee deleted (
Similar to how the main server will serve requests for any Host that reaches the server (unless a more specific vhost handles the request), mod_simple_vhost provides for a default document root if one is not configured. (You might reasonably suggest that lighttpd should not apply a default vhost unless explicitly configured.)
As to your other "bug", an updated RFC dictates lighttpd behavior is correct to send 400 upon Host mismatch:
A client MUST send a Host header field in all HTTP/1.1 request messages. If the target URI includes an authority component, then a client MUST send a field-value for Host that is identical to that authority component, excluding any userinfo subcomponent and its "@" delimiter (Section 2.7.1).
Also available in: Atom