In my Apache configuration, I want to allow only Host header based vhosts. That is, I'd like to block any traffic by IP address only. I have mod_security2 installed, but I am only using the default rule set. Is mod_security2 the best place to configure this, and if so, how?
Apache 2.4.7, Ubuntu 14.04, PHP 5.5.9
I would suggest you to read my answer of the question I need rules to drop some malicious Apache, where is explained how to download and configure OWASP ModSecurity Core Rule Set 3.x.
However, here is simple example of the rule that you are asking for:
# Deny requests without a host header
#
SecRule &REQUEST_HEADERS:Host "@eq 0" \
"id:160, phase:2, log, drop, deny, status:403, \
tag:'requests-without-host-header'"
The most important thing in the above rule is the parameter phase:2, thus the access will be denied before the response, but you will be able to white-list the rule at certain circumstances (if you need that) on phase:1. You can use nolog, also the final result of drop, deny and status:403 is almost identical and you can decide to leave only one of these three arguments.
Checkout rule id:160 in my repository pa4080/www-security-assistant for more complex example. Also you may want to read the section Missing/Empty Host Header in REQUEST-920-PROTOCOL-ENFORCEMENT from SpiderLabs/owasp-modsecurity-crs 3.x.
Add this to your <Directories> chapters in your httpd.conf wherever you want it to apply (e.g. the /var/www and /var/www/html chapters on the default config)
<RequireAll>
Require expr ( -n %{HTTP_HOST} && %{HTTP_HOST} != "1.2.3.4" )
</RequireAll>
-n matches "not empty" and the rest matches a Host: header not equal to your server's IP. You might need to repeat the second half with your public and internal IP, depending on your web routing setup.
