How to Configure Apache Default VirtualHost to Return 404 Status for Unmatched Domains


3 views

When setting up multiple VirtualHost entries in Apache, you might notice that the server defaults to serving the first defined virtual host when receiving requests for undefined domains. This isn't ideal for production environments where you want to explicitly block access to unspecified domains.

The most effective approach is to create a dedicated default VirtualHost that returns 404 status for all unmatched domains. Here's how to implement it:


<VirtualHost _default_:80>
    ServerName default.invalid
    <Location />
        Require all denied
    </Location>
    ErrorDocument 403 "404 Not Found"
    RewriteEngine On
    RewriteRule .* - [R=404,L]
</VirtualHost>

Let's examine each part of this configuration:


# Catch-all for port 80
<VirtualHost _default_:80>
    # Dummy server name that won't match real requests
    ServerName default.invalid
    
    # Deny access to all paths
    <Location />
        Require all denied
    </Location>
    
    # Customize the 403 response to show 404
    ErrorDocument 403 "404 Not Found"
    
    # Alternative approach using mod_rewrite
    RewriteEngine On
    RewriteRule .* - [R=404,L]
</VirtualHost>

For systems without mod_rewrite, you can use:


<VirtualHost *:80>
    ServerName catchall
    Redirect 404 /
</VirtualHost>

When implementing this solution:

  • Place this default VirtualHost first in your configuration
  • Ensure your legitimate VirtualHosts have explicit ServerName and ServerAlias directives
  • Test with various Host headers to verify behavior
  • Consider implementing similar configuration for port 443 if using HTTPS

Verify the setup using curl:


curl -I -H "Host: nonexistent.domain" http://your.server.ip

Should return:


HTTP/1.1 404 Not Found

When setting up multiple VirtualHost configurations in Apache, there's often a need to handle requests that don't match any defined hostnames. By default, Apache will serve the first VirtualHost alphabetically when no matching host is found, which can lead to security issues or unintended content being served.

The most secure approach is to configure the default VirtualHost to return a 404 status:


    ServerName default
    DocumentRoot /dev/null/
    
        Require all denied
    
    RewriteEngine On
    RewriteRule ^ - [R=404,L]

For different scenarios, consider these variations:

# Option 1: Using ErrorDocument

    ServerName catch-all
    DocumentRoot /var/www/nonexistent
    ErrorDocument 404 "Host not found"


# Option 2: With mod_alias

    ServerName invalid
    Redirect 404 /
  • Place this default VirtualHost configuration first in your configuration files
  • Make sure you have NameVirtualHost *:80 (or appropriate port) declared
  • Test with curl -I http://yourserver to verify the 404 response

Here's how this might look in a production environment with multiple hosts:

NameVirtualHost *:80

# Default catch-all (must be first)

    ServerName invalid
    RewriteEngine On
    RewriteRule ^ - [R=404,L]


# Regular virtual hosts

    ServerName www.example.com
    DocumentRoot /var/www/example
    # ... other configuration ...



    ServerName api.example.com
    DocumentRoot /var/www/api
    # ... other configuration ...