在主机标头不匹配的虚拟主机环境中返回400 [英] Returning 400 in virtual host environments where Host header has no match
问题描述
考虑一个服务于三个虚拟主机的Web服务器:
Consider a web server from which three virtual hosts are served:
- mysite.com
- myothersite.com
- imnotcreative.com
现在假设服务器收到以下原始数据请求消息(代码格式化删除终止 \\\\ n 序列):
Now assume that the server receives the following raw request message (code formatting removes the terminating \r\n sequences):
GET / HTTP/1.1
Host: nothostedhere.com
我没有'关于如何响应当前服务器上不存在的主机名请求,请参阅RFC 2616中的任何指导(可能是我错过了?)。例如,Apache只会将其配置中定义的第一个虚拟主机用作主要主机,并假装客户端请求该主机。显然,这比返回 400 Bad Request 响应更有效,并保证客户端始终看到某些表示。
I haven't see any guidance in RFC 2616 (perhaps I missed it?) on how to respond to a request for a host name that does not exist at the current server. Apache, for example, will simply use the first virtual host defined in its configuration as the "primary host" and pretend the client requested that host. Obviously this is more robust than returning a 400 Bad Request response and guarantees the client always sees some representation.
所以我的问题是......
除了健壮性与正确性之外,任何人都可以提供理由如果客户端在使用HTTP / 1.1协议时请求不存在的主机,请阻止我使用 400 (或其他错误代码)进行响应?
Can anyone provide reasons aside from the "robustness vs. correctness" argument to dissuade me from responding with a 400 (or other error code) should the client request a non-existent host when employing the HTTP/1.1 protocol?
请注意,所有HTTP / 1.1请求必须指定主机:根据RFC 2616的标头。对于HTTP / 1.0请求,唯一真正的选择是提供主要主机结果。这个问题专门针对HTTP / 1.1协议请求。
Note that all HTTP/1.1 requests MUST specify a Host: header as per RFC 2616. For HTTP/1.0 requests the only real option is to serve the "primary" host result. This question specifically addresses HTTP/1.1 protocol requests.
推荐答案
在这种情况下,400并不是真正的语义正确的响应代码。
400 is not really the semantically correct response code in this scenario.
由于语法格式错误,服务器无法理解该请求 。
这不是发生的事情。请求在语法上是有效的,当服务器到达路由阶段时(当您检查标题的值时),这已经确定。
This is not what has happened. The request is syntactically valid, and by the time you server has reached the routing phase (when you are inspecting the value of the header) this will already have been determined.
我会说这里正确的响应代码是403:
I would say the correct response code here is 403:
服务器理解请求,但是拒绝履行它。
The server understood the request, but is refusing to fulfill it.
这更准确地描述了发生的事情。服务器拒绝履行请求,因为它无法执行,并且可以在消息实体中提供更详细的错误消息。
This describes what has happened more accurately. The server is refusing to fulfill the request because it is unable to, and a more verbose error message can be provided in the message entity.
还有一个参数是404是可以接受/正确的,因为无法找到满足请求的合适文档,但我个人认为这不是正确的选项,因为404声明:
There is also an argument that 404 would be acceptable/correct, since a suitable document with which to satisfy the request could not be found, but personally I think that this is not the correct option, because 404 states:
服务器未找到与Request-URI匹配的任何内容
The server has not found anything matching the Request-URI
这明确提到了Request-URI的问题,并且在路由阶段的早期阶段,您可能对URI不感兴趣,因为您首先需要将请求分配给主机,然后才能确定它是否具有一个合适的文档来处理URI路径。
This explicitly mentions a problem with the Request-URI, and at this early stage of the routing phase you are probably not interested in the URI, since you first need to allocate the request to a host before it can determine whether it has a suitable document to handle the URI path.
在HTTP / 1.1 主机:标题是man datory。如果客户端声明它使用的是版本1.1并且未提供主机:标头,那么400肯定是正确的响应代码。如果客户端声明它使用的是1.0版本,则不需要提供主机头,这应该得到优雅处理 - 这种情况与无法识别的域相同。
In HTTP/1.1 Host: headers are mandatory. If a client states that it is using version 1.1 and does not supply a Host: header then 400 is definitely the correct response code. If the client states that it is using version 1.0 then it is not required to supply a host header and this should be handled gracefully - and this scenario amounts to the same situation as an unrecognised domain.
在这个事件中你真的有两个选择:将请求路由到默认的虚拟主机容器,或者回复错误。如上所述,如果您要回复错误,我相信错误应该是403.
Really you have two options in this event: route the request to a default virtual host container, or respond with an error. As outlined above, if you are going to respond with an error, I believe the error should be 403.
这篇关于在主机标头不匹配的虚拟主机环境中返回400的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
