Virtual hosting using MacHTTP
Contents
Introduction
Virtual hosting is the process of running multiple Web sites off the same server, each with its own domain name, independently of each other. For example, you might host www.spanners.biz and www.fanbelts.co.uk on the same server machine. This saves on the cost, space and maintenance of several machines when you can make do with a single one, saves wasting precious IP addresses unnecessarily, and makes more efficient use of the machine, which could be underutilised running a single site. Of course, that machine needs to be fast enough to support all the sites running off it.
This article explains how virtual hosting works and describes how to set it up on the Macintosh Web server MacHTTP. Under Protecting the root folder, it also shows how this system can give your site some security against would-be hackers, even if you only run one site on the server.
How virtual hosting works
If you have several domain names sharing a single IP address, how does the server know for which site a particular request is intended? As you might already be aware, a basic HTTP request looks like this:
GET /section/page.html HTTP/1.0This specifies the path on the server to be served, but not which site on the server the path belongs to. On a machine serving a single site, this is perfectly adequate, but on a machine serving multiple sites, the request is ambiguous and cannot be honoured. Thus, HTTP 1.1 introduced a new request header line: Host. If the above request was directed at www.spanners.biz, under HTTP 1.1 it would be modified as follows:
GET /section/page.html HTTP/1.1
Host: www.spanners.biz
The server can now disambiguate the request and serve the file. Despite this feature having been introduced in HTTP 1.1, and the fact that MacHTTP only supports HTTP 1.0, MacHTTP makes use of the Host line in order to support virtual hosting.
Virtual hosting under MacHTTP
Setting up virtual hosts
By default, MacHTTP serves its Web content out of the folder containing the application program; this folder contains the single site hosted on the machine. To add extra sites to the machine, you create a folder for each one within the root folder, and add a HOSTFOLDER line to the MacHTTP.config line for it; you will find a description of these config file lines and some examples at the bottom of the config file. The lines are of the form:
HOSTFOLDER DNS-name host-folder
For example, if your machine was already hosting www.spanners.biz, and you wanted to also serve www.fanbelts.co.uk, you might create a folder called Fanbelts in the root, and add a HOSTFOLDER line to MacHTTP.config thus:
HOSTFOLDER www.fanbelts.co.uk Fanbelts
and restart MacHTTP. After that, requests for www.fanbelts.co.uk would be served out of the Fanbelts folder. However, you could also access www.fanbelts.co.uk with the path www.spanners.biz/Fanbelts/, because Fanbelts is simply a regular folder on the server. Thus, you should move the root site into its own folder, too, giving you in the example situation:
HOSTFOLDER www.spanners.biz Spanners
HOSTFOLDER www.fanbelts.co.uk Fanbelts
The root folder
Once this process is complete, the site root will probably no longer contain any pages; furthermore, it will not normally be accessible to anyone. However, anyone accessing your server just by its IP address, or by any unrecognised DNS name (e.g. ftp.spanners.biz instead of www.spanners.biz) will be directed to the root. What you do with the root is then your own choice. You can leave it empty, and let the server hand back a 404; you could instead place a default page into it with links to the various sites on the machine. If people are used to accessing the machine’s original website by its IP, you could create a catch-all virtual host that directs any requests to an unrecognised DNS name to a specified folder. For example, this line:
HOSTFOLDER * Spanners
placed at the end of the virtual hosts list would cause any unrecognised requests (e.g. simply the machine’s IP address) to be treated as requests for the Spanners site.
error acgi users take note: If you have virtual directory listings enabled for the whole site (i.e. LISTABLE /, which was the default setting before 1.2.4), and you delete the default page from the site root when you move to using virtual hosting, anyone accessing the machine by its IP or by an unrecognised DNS name will be presented with a directory listing for your root folder, which is a potential security risk. Please ensure that you place a default page into the site root to prevent the root from being listed.
Protecting the root folder
An interesting corollary of this system is protection of the site root. Normally, access to all the items in the site root is available to anyone who knows about or can guess their existence, for example the server log, or the MacASP data folder (whose contents can be exposed if error acgi virtual directory listings are left enabled for all directories). This presents something of a security risk, and I have certainly seen people trying to access such files on my Mac. One solution is to create a host folder for the site, and then run the entire site through a catch-all HOSTFOLDER line. For example:
HOSTFOLDER * siteroot
would relocate the entire site to the path /siteroot/, preventing anyone from ever getting to the real root folder. This is because all accesses (including accesses made direct to the IP) would be sent to that folder, bypassing the real root. Because this line is a wildcard for any access, it needs to be placed after those of any other virtual hosts. Note that other virtual hosts on the server are still located in the old root – they do not have to live inside the new root. For example, you might have:
HOSTFOLDER www.spanners.biz Spanners
HOSTFOLDER www.fanbelts.co.uk Fanbelts
HOSTFOLDER * siteroot
This will direct accesses to www.spanners.biz to /Spanners/, accesses to www.fanbelts.co.uk to /Fanbelts/, and everything else to /siteroot/.
Domain name variations
Sometimes, you might want to recognise more than one domain name for a site. For example, you might want to make the ‘www’ part of the domain name optional in case people omit it, and you might also be using two different top-level domains. You would thus need to create extra entries for the site, giving you:
HOSTFOLDER www.spanners.biz Spanners
HOSTFOLDER www.spanners.com Spanners
HOSTFOLDER spanners.com Spanners
HOSTFOLDER spanners.biz Spanners
This would let the server accept either TLD (.com or .biz), with or without the ‘www’ in front of the name, for the Spanners site (previously, with no virtual hosting in use, it didn’t matter what anyone used as there was only one site on the machine). You can also use wildcards in the entries; for example:
Of course, the above will only work if you have your DNS records set to map all the different variations to your IP address.
HOSTFOLDER *.fanbelts.co.uk Fanbelts
would accept www.fanbelts.co.uk, mail.fanbelts.co.uk, order.fanbelts.co.uk and so forth for the Fanbelts site. However, it will not accept simply fanbelts.co.uk (without the ‘www’) – this would require a separate line.
Virtual hosting and logging
MacHTTP only uses a single log file for all the different sites hosted on the machine. Each log entry line shows the path on the server containing the requested file; for example, if a visitor requested www.spanners.biz/order.html, the log line would be something like:
02/19/04 05:01:21 OK pc-15-138.south.cable.ntl.com. :Spanners:store:order.html 1701The “:Spanners:” part of the line shows that the request was served from the Spanners folder. Either the user visited www.spanners.biz (or any other virtual hosts configured to use the Spanners folders, e.g. spanners.biz without the ‘www’), or they accessed the site directly by its IP and used the /Spanners/ path.
– Daniel Beardsmore, 19th February 2004 (and modified 23rd March 2004).
Comments? Send them to the author.