Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 29361 invoked by uid 6000); 19 Oct 1997 01:00:03 -0000
Received: (qmail 29312 invoked from network); 19 Oct 1997 01:00:01 -0000
Received: from valis.worldgate.com (marcs@198.161.84.2)
  by taz.hyperreal.org with SMTP; 19 Oct 1997 01:00:01 -0000
Received: from localhost (marcs@localhost)
	by valis.worldgate.com (8.8.7/8.8.7) with SMTP id SAA10463;
	Sat, 18 Oct 1997 18:59:30 -0600 (MDT)
Date: Sat, 18 Oct 1997 18:59:30 -0600 (MDT)
From: Marc Slemko <marcs@worldgate.com>
To: new-httpd@apache.org
cc: Timothy J Luoma <luomat@peak.org>
Subject: Re: [Announcement]: Apache 1.3beta2 Released (fwd)
In-Reply-To: <3.0.3.32.19971018175036.00933ab0@localhost>
Message-ID: <Pine.BSF.3.95q.971018185457.5796C-100000@valis.worldgate.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Sat, 18 Oct 1997, Brian Behlendorf wrote:

> >I am wondering when/if apache will have a compile time option to use  
> >/etc/hosts.(allow|deny) on the fly....
> >
> >I know it can be done out of /etc/inetd.conf, but that is inefficient (so  
> >the docs say).

You really don't want to use inetd mode.

> >
> >It would be a very nice option.
> 
> Agreed - it would probably be pretty easy to do, too.  Use mod_access as a
> base, and figure out how often you'll want to open /etc/hosts (once at
> startup/restart, every hit? etc.).  Sounds like a great first Apache
> programming project!

The tcpd model allows for an easy hack of adding checks when the
connection is first received that call the libwrap function to check if
access should be allowed, and if not abort the connection right there.
This is a very raw access control, since tcpd doesn't really allow for
anything better.

Below is the start of a hacked change to do this that I was playing around
in mid 1.2 beta.  It isn't complete and doesn't fit into the current
sources (or even 1.2 sources) very well, but shows the concept.

The biggest thing that has to be done (aside from cleaning it up)
is to do the stuff required so that you pass the hostname to hosts_ctl
and save it in Apache so the lookup doesn't have to be done twice.


Index: http_main.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_main.c,v
retrieving revision 1.101
diff -u -r1.101 http_main.c
--- http_main.c	1997/01/01 18:10:20	1.101
+++ http_main.c	1997/01/07 06:52:26
@@ -121,6 +121,11 @@
     #endif
 #endif
 
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+
 
 DEF_Explain
 
@@ -1607,12 +1612,27 @@
 		    log_unixerr("accept",NULL,"socket error: accept failed", server_conf);
 	    }
 
+
 	accept_mutex_off(); /* unlock after "accept" */
 
 	clen = sizeof(sa_server);
 	if(getsockname(csd, &sa_server, &clen) < 0) {
 	    log_unixerr("getsockname", NULL, NULL, server_conf);
 	    continue;
+	}
+
+	{
+	struct sockaddr_in *client = &sa_client;
+	log_printf(server_conf, "trying access for %s.\n", inet_ntoa(client->sin_addr));
+	if (!(hosts_ctl("apache", STRING_UNKNOWN, inet_ntoa(client->sin_addr), STRING_UNKNOWN))){
+		log_printf(server_conf, "denying access for client");
+		shutdown(csd, 2);
+		close (csd);
+		csd = -1;
+		continue;
+	}
 	}
 
 	sock_disable_nagle(csd);