If one enters <localhost> in the browser URL bar, Apache automatically opens the document
var/www/html/public_html/index.html
If I were to enter <localhost myWebsite/>
will or should Apache automatically open the document var/www/html/myWebsite/public_html/index.html ?
You should define a VirtualHost for each web site you want to run. Each web site needs to have one and only one numeric IP address and port number. Using a separate IP address or separate port number counts as a separate web site. You should get an error if you try to access a server that is not defined in /etc/apache2/sites-available/
.conf. Apache2 will latch on to the port number that you specify in /etc/apache2/ports.conf for every numeric IP address on your computer, all of them. You can scan with nmap to see for yourself. You should use firewall rules to drop connection requests targeting addresses that are not defined to run a web server. localhost is 127.0.0.0/8 which means you have over sixteen million numeric IP addresses in the localhost domain. At least I think Apache2 uses all of the localhost domain. My ftp server does. Make sure you have a Directory entry in /etc/apache2/apache2.conf for each server that you define that defines the base directory to use for that server along with access rights. Do not use <VirtualHost localhost:80> in /etc/apache2/sites-available/.conf. Use one and only one numeric IP address. localhost is a domain, not just an address. People think localhost is simply 127.0.0.1, but this is not entirely accurate. Think of localhost as a netblock for your own computer, not an address. If you type localhost in your web browser it will ask the kernel what localhost is and your kernel will probably respond with 127.0.0.1, but then this is probably defined this way in /etc/hosts.
Let's say you wanted to block all of the localhost domain to protect Apache2 from connection requests from undefined server access.
If you had a filter table named filter4 and another named filter6 in the input chain you could use:
/usr/sbin/nft add rule ip filter4 input ip daddr 127.0.0.0/8 tcp dport 80 drop
/usr/sbin/nft add rule ip6 filter6 input ip6 daddr ::1 tcp dport 80 drop
This would drop all connection requests for port 80 in the entire IPv4 localhost domain and the IPv6 localhost address. You should also block all of your IPv6 link-local addresses both ways too if you're not using those. You can use:
/usr/sbin/nft add rule ip6 filter6 input ip6 saddr fe80::/64 drop
/usr/sbin/nft add rule ip6 filter6 input ip6 daddr fe80::/64 drop
/usr/sbin/nft add rule ip6 filter6 output ip6 saddr fe80::/64 drop
/usr/sbin/nft add rule ip6 filter6 output ip6 daddr fe80::/64 drop
You should also block the IPv4 address 0.0.0.0 both ways, sending and receiving, unless you use DHCP to protect your computer from unauthorized scanning and unauthorized connections. I participated in the discussion about that in another post on this forum. At least block the ports used by any servers that you run. Any such unauthorized attempts should show up in other_vhosts_access.log which should be in the directory defined as ServerRoot in /etc/apache2/apache2.conf.
A misconfigured server is how many bad guys gain initial access to computers. Proper configuration is crucial to computer and network security. Only enable the web server modules that you need and plan to use. Thoroughly test your server by throwing everything you've got at it to stress test it before exposing it to the web. Ask people that do these things for help in doing so.
Signed,
Matthew Campbell