httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] allow from "hostname" not working..
Date Thu, 19 Jun 2008 09:39:46 GMT
Hi.

Michael Alipio wrote:
> I have the following directives in .htaccess in one of
> my directories.
> 
> <LiMIT HEAD GET POST>
> order allow,deny
> allow from myhost.dyndns.org
> </LIMIT>
> 
> 
> Now for the testing:
> dig myhost.dyndns.org.. the hostname resolves
> properly.
> 
> 
> When i tried it on my browser, i kept getting denied.
> When I looked at my error log, it says, denied by
> server configuration....
> 
> 
> When i looked at accesslog. i saw that when my pc
> accessed the website, apache did reverse lookup on the
> IP and it has the hostname given by my ISP. not the
> one i registered in dyndns.org. Basically I just want
> to only allow my dynamic IP workstation to access a 
> particular directory in my website. seems like "allow
> from hostname" is not working for me. I'm using the
> latest apache2.
> 
> Any idea what might be causing this?
> 

The first question is whether you should not just implement a simple 
authentication for your server.  It's really easy if you do not have 
many users.  Then you get rid of the IP-based control.
Look here :
http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html
and
<Location />
AuthType Basic  (or Digest)
AuthName "pirates be gone"
AuthUserFile /web/users
Require valid user
</Location>
and look up htpasswd to create the users.

-- next, about what you are asking above --

I think you have the reasoning almost right, but not 100%.
When your httpd server receives the request, it knows only from which IP 
it is coming, it doesn't know any name (yet).
When it encounters your "Allow from (domain)" line(s), it will try a DNS 
reverse lookup with the IP, to check if this IP corresponds to any of 
the domains given.
This reverse DNS lookup however will (at best) give back the name given 
to this IP address by the dynamic address allocation system of your 
provider, e.g. something like "tip2345.dialup-timbuctu.myisp.net".
This will not match the domain in the Allow directive, thus will be 
rejected. (Or worse, your ISP does not do reverse IP registration, and 
the request will return "NXdomain", and it will still not match in Apache).

Not recommended solution :
If it's not very critical, and you are quite sure that your server is 
well-configured, and you notice that the DNS name your ISP is giving you 
always ends in the same thing (like "dialup-timbuctu.myisp.net"), you 
could always put a directive "Allow from dialup-timbuctu.myisp.net", but 
understand what it does first, and don't tell anyone I told you to do 
that. It basically restricts the IPs allowed to access your server from 
several million to several tens of thousands.
So don't do this at work.
And forget I even mentioned that.

Better :
If you only need to do this occasionally, and have full control over the 
server, then find out your current IP address and replace your "Allow 
from (name)" by "Allow from (ip-address)" and restart Apache.  You'll 
have to redo this each time your IP changes.

If you do need this more often and find the above a pain, but still can 
restart your server whenever you want, then the simplest way may be a 
small script which will find out your IP address, go modify the Allow 
line above in httpd.conf, and restart your server.  Then make this an 
icon on your desktop, so you can just click on it.
Perl is your friend for things like that.

If it's more permanent, then there might be another way, if you have a 
DNS domain at which you can ask for changes :
It is possible to register a name in your own domain, and tell the DNS 
server to go look up the dyndns.org name that you registered to get the 
current IP address (*). Then your own domain's DNS server can answer 
reverse DNS queries (and you'll have to make sure that your httpd server 
is asking it first).
Then instead of saying "Allow from xyz.dyndns.org", you would say "Allow 
from xyz.mydomain.com".
If your httpd server is at work, buy a beer to the DNS guy.
Of course, you will still have to make sure that the dyndns IP 
registration is kept current when your real IP changes, but I suppose 
you already do that.

And finally, if you're really adventurous, you could write a mod_perl 
add-on module for Apache (as a PerlAccessHandler), that will do all this 
dynamically for you each time you connect.  Then maybe the DNS guy will 
buy you a beer, because he could use it too.
But maybe go check the CPAN first, someone else may have preceded you.

There might be smarter ways to do this, and I'm sure other people have 
better ideas.  But maybe then, you should tell on which platform you 
are, with which version of Apache.

André

(*) essentially, you are telling your own DNS server that 
"xyz.mycompany.com" is an alias for "xyz.dyndns.org".


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message