On Monday, 23 August, 2021 10:19, "Karl Auer" <kauer@biplane.com.au> said:
You could block inappropriate inbound requests, but not knowing what is on the web servers makes that an infinite set of possibilities. So you would really have to permit only appropriate inbound requests. On anything but a trivial server the set of appropriate inbound requests could be very, very large. Not to mention that rewrite rules and suchlike could be blurring the difference between appropriate and inappropriate on a web server where the configuration is possibly in the hands of the bad guys.
That's a good point - I was thinking solely in terms of the DNS-based / simple vhost stuff, where a client is requesting 'Host: www.badguys.com' from an IP address that "should" only be serving www.mystuff.com. www.mystuff.com/secret/content/here/badguys.com/ is the obvious and trivial workaround, I'm sure there are much more sophisticated ways to do it. But we may both be talking about the wrong thing until Pirawat confirms :) Regards, Tim.