What's the rationale behind the online ban on empty headers in Apache?

Question

Today my server was maliciously parsed by a domain name. I checked and found that it was redirected by 301. I checked online and found that closing the empty host header can be used to prevent malicious domain name parsing. Add the following to httpd-vhost.conf Code

NameVirtualHost *
<VirtualHost *:80>
DocumentRoot "E:/error"
ServerName abc.com
</VirtualHost>

This method did solve my problem, but I don’t quite understand the principle here....

Answer 1

I know nginx is set up like this, and the principle of Apache should be similar:

server
{
    listen 80 default; 
    server_name _; 
    return 444; 
} 

If nginx does not find the matching domain name in server{} and it is maliciously parsed, _这个默认的server_name，直接返回444自定义状态码，也就是主动关闭请求。也可以使用499 will be used. This is another custom status code of nginx, which means that the client cannot wait for the server to respond and actively closes the connection.

Answer 2

Just add a virtual host and respond to all access to abc.com with the contents of the E:/error folder.