httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabien <fab...@apache.org>
Subject Re: access control for dynamic hosts
Date Thu, 14 Jan 2016 08:38:25 GMT

Hello Apache devs,

Would anyone have an opinion, please?

Although I can just commit the proposed changes, a formal go would be 
nice.

On Sun, 20 Dec 2015, Fabien wrote:

> Date: Sun, 20 Dec 2015 09:44:55 +0100 (CET)
> From: Fabien <fabien@apache.org>
> Reply-To: dev@httpd.apache.org
> To: APACHE development mailing list <dev@httpd.apache.org>
> Subject: access control for dynamic hosts
> 
>
> Hello folks,
>
> I have a simple access control use case for which I have not found a clean 
> solution.
>
> I want to control access to a service based on the name of the client, 
> however the client is a dynamic host, which implies that:
>
> (1) I do not have any control about the reverse DNS
>     => this rules out "Require host"
>
> (2) the IP may change arbitrarily
>     => this rules out "Require ip"
>
> By browsing around it seems that I'm not alone having this issue, and I have 
> not found any solution for that with apache configuration, nor a matching 
> module in "modules.apache.org" listing.
>
> The current workaround is to update the IP manually when it fails. Although I 
> could automate (say query the ip periodically and update & reload the conf if 
> there is a change), ISTM that it really belongs to apache configuration.
>
> I would like something like "Require XXX foo.dynamic-dns.somewhere" (where 
> XXX could be "name", "hostname", "dynamic", ...) which would query the NS 
> when the HTTP request is received and check that the corresponding ip is the 
> client IP.
>
> I'm planing to develop a small module for that, and as it is somehow quite a 
> basic service it could be a candidate for being added to 
> "modules/aaa/mod_authz_host.c".
>
> Another approach could be to extend apache expressions with a function
> to query the DNS, but that seems a little overkill.
>
> Any thoughts?
>
>

-- 
Fabien.

Mime
View raw message