httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <>
Subject Re: [users@httpd] allow from based on database query (2.4)
Date Sat, 24 Mar 2012 07:03:08 GMT
On 24-03-2012 02:38, John Karr wrote:
> I have an application that uses both ip and credentials authentication,
> currently to update the "allow from" I have to edit a file and restart the
> server. My next release will be using Apache 2.4 with dbd authentication, I
> was wondering if there were a way to either have apache get its' ip address
> list for "allow from" from the database or to dynamically update the list
> apache was using without needing to restart the server.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
I have a way, but it's not necessarily pretty, and someone should 
probably shoot me for mentioning this.
What you can do, since the dawn of Man (or, since mod_rewrite), is use 
RewriteMap creatively and run it through a program, that checks if the 
IP is on a white-list, and if not, rewrite the URI to serve a static 
"forbidden!" file. The idea is that, as you can pass on any httpd 
argument, header etc in a rewrite, you can pass on both the IP and the 
request URI to a program, that then splits it up, checks the IP, and if 
it checks out, passes back the URI.

First off, you would need to apply something like this to your 
<Directory "/path/to/forbidden/zone">
RewriteMap checkip prg:/path/to/
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}

You would then have a corresponding program ( running (httpd 
takes care of running this in the background for you):
$| = 1; # Turn off I/O buffering

sub DatabaseLookup {

while (<STDIN>) { #For each incoming IP request, look it up in the db.
     ($ip, $uri)  = split(/:/); #Separate the IP and the URI in the 
string httpd gave us

     #Run some checks here to see if the IP matches one on our list
     if (DatabaseLookup($ip) == 1) {
         print($uri); # Allow the request through, unaltered
     else { # If the IP isn't on our list, then...
         print("/forbidden.html\n"); # Redirect to some static error file

As mentioned, this is probably but one of the methods you could use, and 
it's prone to be a bottleneck if you have a lot of requests going on at 
once - but I've tested it and it works, so that's at least something.

I'm done - send in the firing squad.

With regards,

View raw message