My linode IP address points to the default Apache index.html file (/var/www/index.html). How can I make it not do this? Is there a more secure way of going about this so that my IP address doesn't point to anything?

Also, I'm hosting my website in /srv/www. But I've noticed other computers that have hosted theirs in /var/www. Which is preferred? Does it matter?

What do you want "nothing" to be? To access a web page, a client makes a TCP connection to your IP address and makes an HTTP request, which includes a header like "Host: www.example.com" to tell the server which website it wants*. You can't make the web server reject the connection when someone goes to http://192.0.2.4/, since it accepts the connection before it even finds out if they wanted http://192.0.2.4/ or http://www.example.com/ or whatever else.

It's technically feasible to make the server drop the connection as soon as it sees an unwanted Host header, though I don't know if Apache has a feature for it, or how easy it is to use. I wouldn't do it, though. It doesn't achieve anything except being confusing (and saving you a trivial amount of CPU).

The only other option is some sort of HTTP response, and Apache's default index.html seems like as good a response as any.

Although, now that I think of it, an HTTP redirect to your primary website might be nice too.

What security issue do you think this addresses, anyway? If you want to hide what web server you're using, well, more than 50% of web servers are Apache, so hiding that is pretty pointless. You can try to disguise the version by using some page other than the default index.html -- say, a simple "Hello World", or the index.html from 10 years ago -- but that's probably unnecessary, and it's probably possible to identify the server in some other way anyway.

* Older clients might not include any Host header, in which case they'll always get the default website (i.e., no support for virtual hosting). Bothering to support them these days isn't worth it, though.**

** This is a technical quibble, but I believe HTTP/1.1 also supports a slightly different mechanism of specifying the host -- using "GET http://www.example.com/foo.php HTTP/1.1" instead of the pair of headers "GET /foo.php HTTP/1.1" and "Host: www.example.com". But since they're completely equivalent, that's neither here nor there, and phrasing it as "Host header" was easier.


I'd go with whatever your distro/web server picked by default. It doesn't matter, so I'd rather not risk angering some weird piece of software that cares for some stupid reason.

_________________
Matt Nordhoff (aka Peng on IRC)