www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuli "Kärkkäinen" <...@iki.fi>
Subject mod_auth-any/1534: 'allow from' only allows access when given ip addresses, subnet arguments (a.b.c.d/x) refuse access
Date Mon, 08 Dec 1997 23:26:43 GMT

>Number:         1534
>Category:       mod_auth-any
>Synopsis:       'allow from' only allows access when given ip addresses, subnet arguments
(a.b.c.d/x) refuse access
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec  8 15:30:00 PST 1997
>Last-Modified:
>Originator:     sak@iki.fi
>Organization:
apache
>Release:        1.2.4
>Environment:
Linux 2.0.32, intel pentium, apache-1.2.4-5.i386.rpm
>Description:
My domain is using the so called "reverse kludge" for reverse DNS. I believe
this is causing 'allow from' directive to accept only some forms of defining
client address. Full configuration can be seen at
http://www.kelloseppakoulu.fi:8888/. That URL maps to the configuration
directory of that server. The configuration is very close to the
example configuration that comes with apache distribution. With that
configuration access is allowed from everywhere, as it should.

The following discussion applies to our domain (which, as mentioned, uses
reverse kludge for reverse DNS). If I replace 'allow from all' with
  allow from 194.100.26.178
which is the address of my computer in that LAN, I am correctly given access.
If I replace it with
  allow from 194.100.26.128/26
or
  allow from kelloseppakoulu.fi
or
  allow from .fi
all of which should grant access to all hosts in our domain, no host in our
domain is given access.

If I try access the server from other domains (which do not use reverse DNS
kludge), following applies. If I replace 'allow from all' with
   allow from 0.0.0.0/0
or
   allow from a.b.c.d/16
and access the server from a.b.x.y, I am not given access although I should, and
if I replace 'allow from all' with
  allow from .hut.fi
and access the server from alpha.hut.fi, I am given access as I should.
>How-To-Repeat:
-
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message