Skip to content

How to protect multiple VHOSTs with Anubis #104

New issue
New issue
Open
Open
How to protect multiple VHOSTs with Anubis#104
@powerriegel

Description

@powerriegel
powerriegel
opened on May 8, 2025

We have multiple VHOSTs (of the same application (library system Koha) on each server. They use different ServerNames to distinguish. Everything works if Anubis is enabled for only one VHOST but stops working if more than one VHOST is enabled. Then, the domains lead to arbitrary (rondom?) VHOSTs that should not see this domain.

VHost for Anubis

<VirtualHost IP:443>
   Define instance "no1"
   ServerName no1.example.com

   # SSL stuff

   ErrorLog    /var/log/app/no1/anubis-error.log
   CustomLog   /var/log/app/no1/anubis-access.log vhost_combined

   RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
   RequestHeader set X-Forwarded-Proto "https"
   ProxyPass / http://localhost:8082/
   ProxyPassReverse / http://localhost:8082/
</VirtualHost>

Vhost for the App

<VirtualHost localhost:80>
   ProxyPreserveHost Off
   ProxyRequests Off
   SSLProxyEngine on
   SSLProxyVerify none
   SSLProxyCheckPeerCN off
   SSLProxyCheckPeerName off
   SSLProxyCheckPeerExpire off


   ServerName no1.example.com

  # app specific
   Define instance "no1"
   SetEnv KOHA_CONF "/etc/app/sites/no1/conf.xml"
   AssignUserID no1-app no1-app


</VirtualHost>

ENV file

BIND=localhost:8082
BIND_NETWORK=tcp
DIFFICULTY=4
POLICY_FNAME=/etc/anubis/botPolicies.yaml
TARGET=http://localhost

I don't know exactly how requests are sent to the application Koha / Plack /Perl itself but I guess the application spec ific lines are responsible for this. The application is quite old but still maintained.

Every time I need to resolve this issue, I need to fully disable all VHOSTs and then re-enable them and then its working again, but without anubis.

I also wondern what to do with the catch all VHOST which catches all requests toi a wrong domain

<VirtualHost IP:443>
   ServerName internalservername.example.com
   ServerAlias *.example.com IP
   Redirect 404 /
   ErrorDocument 404 "Page Not Found"
   # DocumentRoot /var/www/html

...
# SSL Stuff
</VirtualHost>

If this is enabled, Anubis will lead to "Page not found" even if the servername in thei catch-all-vhost is not used.

And to do with the redirect port 80 to port 443 VHOST?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions