Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E369B18070 for ; Tue, 1 Mar 2016 12:45:06 +0000 (UTC) Received: (qmail 24348 invoked by uid 500); 1 Mar 2016 12:45:03 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 24279 invoked by uid 500); 1 Mar 2016 12:45:03 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 24270 invoked by uid 99); 1 Mar 2016 12:45:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Mar 2016 12:45:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 06AD5C3543 for ; Tue, 1 Mar 2016 12:45:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1 X-Spam-Level: * X-Spam-Status: No, score=1 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 0JoJiYuJXe5s for ; Tue, 1 Mar 2016 12:45:02 +0000 (UTC) Received: from jiboia.ensmp.fr (jiboia.ensmp.fr [194.214.158.137]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id E43505F39C for ; Tue, 1 Mar 2016 12:45:01 +0000 (UTC) Received: from cri.ensmp.fr (nat-any-rnt.cri.ensmp.fr [195.83.117.252]) (authenticated bits=0) by jiboia.ensmp.fr (8.15.2/8.15.1/JMMC-22/Oct/2013) with ESMTPSA id u21Ciser011836 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 1 Mar 2016 13:44:55 +0100 Date: Tue, 1 Mar 2016 13:44:54 +0100 (CET) From: fabien@apache.org X-X-Sender: fabien@sto To: APACHE development mailing list Subject: Re: access control for dynamic hosts In-Reply-To: <56D417E2.3030408@thelounge.net> Message-ID: References: <56D417E2.3030408@thelounge.net> User-Agent: Alpine 2.10 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Miltered: at jiboia.ensmp.fr with ID 56D58EC6.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Auth: USER-ID fabien.coelho X-j-chkmail-Enveloppe: 56D58EC6.000 from nat-any-rnt.cri.ensmp.fr/nat-any-rnt.cri.ensmp.fr/195.83.117.252/cri.ensmp.fr/ >> This feature makes sense because it allows to allow a full domain, say >> "apache.org", any host of which the inverse dns resolves to the domain >> can then be allowed. >> >> But this also means that if the reverse dns is not controlled, say with >> the dynamic dns and a moving ip, ip control does not work, hence my >> proposal for a lesser version which just checks that a client ip is >> allowed just by resolving a name. > > that is unsafe > it takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one of > our public ip-addresses if i would like to and nobody can do anything against > it except check if the A record matchs because that can only be controlled by > the domain owner Indeed, but then "host" also checks that forward resolution works, that is "myserver.apache.org" must *also* point back to the same IP. > the same for anybody else who has a /24 or bigger network and the reverse dns > delegated to his own namservers - i would not do such things, others would > and so it's nothing to hand authentication on it Sure, the second forward checks that all is well. The feature I'm proposing is not related to that. I'm suggesting to have a way to specify host names *only* which are checked forward *only*. Require xxx foo.apache.org # allows ip of "foo.apache.org", just be resolving the name For use with dyndns services. -- Fabien.