httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: [Announcement]: Apache 1.3beta2 Released (fwd)
Date Sun, 19 Oct 1997 00:59:30 GMT
On Sat, 18 Oct 1997, Brian Behlendorf wrote:

> >I am wondering when/if apache will have a compile time option to use  
> >/etc/hosts.(allow|deny) on the fly....
> >
> >I know it can be done out of /etc/inetd.conf, but that is inefficient (so  
> >the docs say).

You really don't want to use inetd mode.

> >
> >It would be a very nice option.
> Agreed - it would probably be pretty easy to do, too.  Use mod_access as a
> base, and figure out how often you'll want to open /etc/hosts (once at
> startup/restart, every hit? etc.).  Sounds like a great first Apache
> programming project!

The tcpd model allows for an easy hack of adding checks when the
connection is first received that call the libwrap function to check if
access should be allowed, and if not abort the connection right there.
This is a very raw access control, since tcpd doesn't really allow for
anything better.

Below is the start of a hacked change to do this that I was playing around
in mid 1.2 beta.  It isn't complete and doesn't fit into the current
sources (or even 1.2 sources) very well, but shows the concept.

The biggest thing that has to be done (aside from cleaning it up)
is to do the stuff required so that you pass the hostname to hosts_ctl
and save it in Apache so the lookup doesn't have to be done twice.

Index: http_main.c
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_main.c,v
retrieving revision 1.101
diff -u -r1.101 http_main.c
--- http_main.c	1997/01/01 18:10:20	1.101
+++ http_main.c	1997/01/07 06:52:26
@@ -121,6 +121,11 @@
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
@@ -1607,12 +1612,27 @@
 		    log_unixerr("accept",NULL,"socket error: accept failed", server_conf);
 	accept_mutex_off(); /* unlock after "accept" */
 	clen = sizeof(sa_server);
 	if(getsockname(csd, &sa_server, &clen) < 0) {
 	    log_unixerr("getsockname", NULL, NULL, server_conf);
+	}
+	{
+	struct sockaddr_in *client = &sa_client;
+	log_printf(server_conf, "trying access for %s.\n", inet_ntoa(client->sin_addr));
+	if (!(hosts_ctl("apache", STRING_UNKNOWN, inet_ntoa(client->sin_addr), STRING_UNKNOWN))){
+		log_printf(server_conf, "denying access for client");
+		shutdown(csd, 2);
+		close (csd);
+		csd = -1;
+		continue;
+	}

View raw message