[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#775176: please don't open tcp/80 by default

On Thu, 2015-01-15 at 13:53 +0100, Harald Dunkel wrote: 
> Unfortunately the VirtualHost statement defines both IP address
> and port for each virtual host. They don't work without the
> appropriate Listen statements, so I cannot follow your "independent
> from each other".
That's basically why you need to tell the vhosts for which IPs they're
valid for, i.e. you can have probably different vhosts for the same
names (i.e. domain-names or addresses the client sets in the HTTP Host:
header) on different IP addresses.

So conceptually "Listen" is for the IP protocol level, while the address
in VirtualHost (which can actually be a hostname as well, that is then
however once resolved on startup) is just to tell on which addresses
that vhost should be used, which is btw: also necessary for IP based
vhosting (i.e. when no HTTP Host: header is given).

> Can you confirm that the central Listen statement breaks the
> modular approach of a2ensite?
Not sure what you mean.

I guess you'd probably want to get rid of the Listen statement
altogether, and that Apache determines all the address/port combinations
from all enabled vhosts automatically.
I'm not sure whether I would generally like this and which implications
it has... I think security wise it's not so good, because you loose that
one central point where you control where to actually listen on.

But anyway, this is not the case in Apache and one would have to request
such "feature" upstream... and until that, Listen is IMHO "independent"
from VirtualHost (but VirtualHost isn't independent from Listen)... and
as such it doesn't make sense IMHO to have it in the sites-available
dir,... and even less in the conf.d dir.

> Thats my point: I want to disable apache2 for port 80/tcp without
> the risk of loosing this setting on the next package upgrade.
First, you don't loose anything on package upgrade, since dpkg doesn't
blindly overwrite config files unless you tell it to - actually in the
many years of running apache now, it never asked me the typical
question, since the maintainer version of ports.conf never changed

And the next problem is, that the listening settings are so deeply in
the configuration schema of Apache, that you cannot just enable/disable
them so easily by removing a config file.
Even if you'd say a2dismod ports-http-80.conf or something like that...
all your other config snippets would e.g. still refer to port 80 and
fail then.
And AFAIK there is no <IfListenOn> conditional directive where you can
just opportunistically enable something, based on whether apache
actually does listen on it.

> This could be implemented by splitting ports.conf into 2 parts
> conf-available/{port80.conf,port443.conf} and to create the symlinks
> in conf-enabled (to keep Debian's default). Just a suggestion, of
> course.
Nah,... really not... then you get dozens of such small one liner
files... many people listen on much more ports than just 80 / 443.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: