www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: config/1250: tcpd-wrapper support; use /etc/hosts.(allow|deny)
Date Thu, 23 Oct 1997 05:50:03 GMT
The following reply was made to PR config/1250; it has been noted by GNATS.

From: Dean Gaudet <dgaudet@arctic.org>
To: Marc Slemko <marcs@znep.com>
Cc: apbugs@apache.org
Subject: Re: config/1250: tcpd-wrapper support; use /etc/hosts.(allow|deny)
Date: Tue, 21 Oct 1997 16:53:29 -0700 (PDT)

 On Tue, 21 Oct 1997, Marc Slemko wrote:
 
 > No it doesn't.  There is no way to impose global restrictions on a site
 > without messing up more specific access control, and there is no way to
 > easily use a common set of denys for morons across all services.
 
 This should work:
 
 <Location />
     order allow,deny
     deny from all
 </Location>
 
 Location is parsed after Directories.  This one always matches, and is
 always applied.
 
 > > It's not easy at all to use /etc/hosts.allow in Apache due
 > > to how it works (and how it's supposed to perform well).
 > 
 > Why?  Sure, you get a DNS lookup hit if you specify things with DNS but
 > that isn't a big deal...
 
 Every child would have to stat /etc/hosts.allow on every hit and possibly
 reread it.  At least that's how tcpd normally behaves because it is always
 respawned.  If your argument for using /etc/hosts.allow is "because then
 it'd be controlled similar to other daemons" then you don't want to say
 "oh you have to restart your server if you change /etc/hosts.allow"...
 because that would be different from how other daemons work.
 
 Relax that condition and maybe you'll have a solution that can perform
 just fine.
 
 IMHO, it's a job for a 3rd party module, not something that we should
 ship with apache.
 
 Dean
 

Mime
View raw message