httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: hostname lookups
Date Tue, 01 Jul 1997 03:50:33 GMT
At 07:07 PM 6/30/97 -0700, Roy T. Fielding wrote:
>>But this is sounding close to a feature.  I'd like to keep HostnameLookups
>>off for 1.2.1 release and maybe beef up the docs in CHANGES and the docs
>>in the examples a bit more...
>Feature or not, I'd expect to see it in before any change to the default
>is released.  I should not have to search through our department's 900
>potential user directories and their subdirectories for any existing
>files that might depend on HostnameLookups being on by default.  The fix
>makes sense, even for sites that already turn off HostnameLookups.


There are other ways where changing the default can bite people in the ass,
though; such as the myriad of cgi/xssi/php/etc programs that may rely upon
REMOTE_HOST being there by default.  Perhaps not a security problem, but
definitely a count against 1.2.1 being a drop-in replacement requiring no
configuration changes.  Were it to be made it'd have to be noted very
strongly; and if that's the case we might as well just note strongly that
we recommend turning HostnameLookups off.  So what about this:

1.2.1: srm.conf contains a "HostnameLookups off" directive by default, with
          note saying it's a Good Idea Dammit.  Also list it in the various
          performance tuning pages.
1.3:   Default HostnameLookups to off, force lookups when used for auth.

I'm curious as to why people thought it made sense for 1.2.1 in the first
place - it's certainly not a bug, and not /really/ a performance enhancement.


"Why not?" - TL       - -

View raw message