httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brainbuz <brain...@brainbuz.org>
Subject Re: [users@httpd] allow from based on database query (2.4)
Date Mon, 26 Mar 2012 14:41:10 GMT
 

mod_gatekeeper sounds like it does exactly what I was looking for I
will try it. 

On 2012-03-26 03:00, Daniel Gruno wrote: 

> On
25-03-2012 00:12, JohnKarr wrote: 
> 
>> I hadn't want to mention what I
was thinking of doing as an alternative, because I really hoped that
there was a better answer that I had failed to read/find the
documentation on! 
>> 
>> My two solutions in mind were (a) the
application that maintains the ip list writes out a fresh copy of the ip
allow from config file and a cron job periodically restarts apache (b)
my stored procedure that apache uses for checking passwords takes the ip
address as an added parameter and have the database check the ip
address. I don't like (a) because it will require me to restart the
server frequently or accept a long potential delay in updates to the ip
table. I don't like (b) because I would rather a user from an
unauthorized address be completely blocked and not even redirected to
login and when working on the config I would prefer separate
queries/stored_procedures for ip and credentials.
> It's still only
early Monday morning - perhaps some wiz kid will wake up and give the
right answer soon.
> In the meantime; httpd comes with a set of modules
and directives that will satisfy 99% of the population, but there will
always be things that have either not been thought of, or are better
suited as third party modules. There is, after all, a very useful API
built into httpd that you can make use of rather easy and fast if you
have special needs for your web server. So, when in doubt, make a
module!
> 
> And so I did; I made an example module that takes a text
file (with a caching mechanism for only reading it if/when it updates),
rifles through it, and checks if an IP is on the list or not. The
example module source code can be found at
http://www.humbedooh.com/mod_gatekeeper.zip [1] and works with 2.4. The
simple directives that you can put into place are:
> 
> GKEngine on
>
GKAllow ip /foo/bar/allowed_ips.txt
> GKDeny ip
/foo/bar/denied_ips.txt
> 
> This is somewhat like writing a new
.htaccess with updated rules whenever the IP list changes, but it has
the advantage of being significantly faster in its execution since it
only reads changes to your list when they occur.
> 
> One could (and I
probably will) continue to work on this module, eventually allowing one
to make more complex requirements using mod_dbd as a database gateway,
such as:
> 
> GKAllow REMOTE_HOST in mod_dbd using "SELECT `ip` FROM
`grantedlist` WHERE `ip` = ?"
> GKAllow REMOTE_USER,REMOTE_PASSWORD in
mod_dbd using "SELECT `user` FROM `grantedusers` WHERE `user` = ? AND
`password` = MD5(?)"
> GKDeny from file /foo/bar/deny.txt
> 
> I'm
guessing this is more along the lines you had in mind? If so, I'll
likely continue to work on this module over the course of the summer,
and if it wasn't exactly what you had in mind, any input or opinions you
may have are of course very welcome either on users@, or private to
humbedooh@apache.org [2].
> 
> With regards,
> Daniel.




Links:
------
[1] http://www.humbedooh.com/mod_gatekeeper.zip
[2]
mailto:humbedooh@apache.org

Mime
View raw message