httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Karr" <brain...@brainbuz.org>
Subject RE: [users@httpd] allow from based on database query (2.4)
Date Sat, 24 Mar 2012 23:12:36 GMT
I hadn't want to mention what I was thinking of doing as an alternative,
because I really hoped that there was a better answer that I had failed to
read/find the documentation on!

 

My two solutions in mind were (a) the application that maintains the ip list
writes out a fresh copy of the ip allow from config file and a cron job
periodically restarts apache (b) my stored procedure that apache uses for
checking passwords takes the ip address as an added parameter and have the
database check the ip address. I don't like (a) because it will require me
to restart the server frequently or accept a long potential delay in updates
to the ip table. I don't like (b) because I would rather a user from an
unauthorized address be completely blocked and not even redirected to login
and when working on the config I would prefer separate
queries/stored_procedures for ip and credentials.

 

 

From: Daniel Gruno [mailto:rumble@cord.dk] 
Sent: Saturday, March 24, 2012 3:03 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] allow from based on database query (2.4)

 

On 24-03-2012 02:38, John Karr wrote: 

I have an application that uses both ip and credentials authentication,
currently to update the "allow from" I have to edit a file and restart the
server. My next release will be using Apache 2.4 with dbd authentication, I
was wondering if there were a way to either have apache get its' ip address
list for "allow from" from the database or to dynamically update the list
apache was using without needing to restart the server. 
 
 
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
 

I have a way, but it's not necessarily pretty, and someone should probably
shoot me for mentioning this.
What you can do, since the dawn of Man (or, since mod_rewrite), is use
RewriteMap creatively and run it through a program, that checks if the IP is
on a white-list, and if not, rewrite the URI to serve a static "forbidden!"
file. The idea is that, as you can pass on any httpd argument, header etc in
a rewrite, you can pass on both the IP and the request URI to a program,
that then splits it up, checks the IP, and if it checks out, passes back the
URI.

First off, you would need to apply something like this to your
configuration:
<Directory "/path/to/forbidden/zone">
RewriteMap checkip prg:/path/to/checkip.pl
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}
</Directory>

You would then have a corresponding program (checkip.pl) running (httpd
takes care of running this in the background for you):
#!/usr/bin/perl
$| = 1; # Turn off I/O buffering

sub DatabaseLookup {
    #doStuffHere();
}

while (<STDIN>) { #For each incoming IP request, look it up in the db.
    ($ip, $uri)  = split(/:/); #Separate the IP and the URI in the string
httpd gave us
    
    #Run some checks here to see if the IP matches one on our list
    if (DatabaseLookup($ip) == 1) {
        print($uri); # Allow the request through, unaltered
    }
    else { # If the IP isn't on our list, then...
        print("/forbidden.html\n"); # Redirect to some static error file
    }
}

As mentioned, this is probably but one of the methods you could use, and
it's prone to be a bottleneck if you have a lot of requests going on at once
- but I've tested it and it works, so that's at least something. 

I'm done - send in the firing squad.

With regards,
Daniel.


Mime
View raw message