httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <rum...@cord.dk>
Subject Re: [users@httpd] allow from based on database query (2.4)
Date Sat, 24 Mar 2012 07:03:08 GMT
On 24-03-2012 02:38, John Karr wrote:
> I have an application that uses both ip and credentials authentication,
> currently to update the "allow from" I have to edit a file and restart the
> server. My next release will be using Apache 2.4 with dbd authentication, I
> was wondering if there were a way to either have apache get its' ip address
> list for "allow from" from the database or to dynamically update the list
> apache was using without needing to restart the server.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
I have a way, but it's not necessarily pretty, and someone should 
probably shoot me for mentioning this.
What you can do, since the dawn of Man (or, since mod_rewrite), is use 
RewriteMap creatively and run it through a program, that checks if the 
IP is on a white-list, and if not, rewrite the URI to serve a static 
"forbidden!" file. The idea is that, as you can pass on any httpd 
argument, header etc in a rewrite, you can pass on both the IP and the 
request URI to a program, that then splits it up, checks the IP, and if 
it checks out, passes back the URI.

First off, you would need to apply something like this to your 
configuration:
<Directory "/path/to/forbidden/zone">
RewriteMap checkip prg:/path/to/checkip.pl
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}
</Directory>

You would then have a corresponding program (checkip.pl) running (httpd 
takes care of running this in the background for you):
#!/usr/bin/perl
$| = 1; # Turn off I/O buffering

sub DatabaseLookup {
     #doStuffHere();
}

while (<STDIN>) { #For each incoming IP request, look it up in the db.
     ($ip, $uri)  = split(/:/); #Separate the IP and the URI in the 
string httpd gave us

     #Run some checks here to see if the IP matches one on our list
     if (DatabaseLookup($ip) == 1) {
         print($uri); # Allow the request through, unaltered
     }
     else { # If the IP isn't on our list, then...
         print("/forbidden.html\n"); # Redirect to some static error file
     }
}

As mentioned, this is probably but one of the methods you could use, and 
it's prone to be a bottleneck if you have a lot of requests going on at 
once - but I've tested it and it works, so that's at least something.

I'm done - send in the firing squad.

With regards,
Daniel.

Mime
View raw message