[users@httpd] ACL - access control lists

[apache a <aa...@gmail.com>]

does apache servers use ACLs to check conditions based on the incoming http
request URL, even before the header is parsed?

Re: [users@httpd] ACL - access control lists

[Joshua Slive <jo...@slive.ca>]

On Mon, Jul 21, 2008 at 5:58 AM, apache a <aa...@gmail.com> wrote:
> does apache servers use ACLs to check conditions based on the incoming http
> request URL, even before the header is parsed?

I see this is the third time you've asked variants on this question.
But without actually explaining what you are trying to do, you're just
wasting your time.

But to answer directly, Apache httpd answers HTTP requests with HTTP
responses. To do that, it almost always needs to parse the headers,
even if it will wind up denying the request due to, for example, an IP
address forbidden by mod_authz_host.

You can look at the third-party module mod_security, which does have
the ability to drop requests without any response. Or you can use a
firewall to do this job.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] ACL - access control lists

[André Warnier <aw...@ice-sa.com>]

apache a wrote:
> does apache servers use ACLs to check conditions based on the incoming http
> request URL, even before the header is parsed?
> 
You have already asked that question, in different ways, several times.
And you have already received responses several times, all basically 
saying no.
Unless you describe what exactly you would like to achieve, nobody is 
going to be able to give you another answer.

Be logical :
Apache is basically an HTTP server, designed to handle HTTP requests.
It receives requests, which usually consist of a first line like this :
GET /something HTTP/x.x  OR
POST /something/else?a=b HTTP/x.x  OR
PUT /something/else/again.lst HTTP/x.x  OR
MKCOL /somedir HTTP/x.x
...

followed usually by several HTTP header lines.

The "GET", "POST" etc.. above stand for what you would like Apache to 
do, and the "/something" stands for "to what would you like Apache to do 
this".
Apache does not know, at first, that "/something" is a local file, or an 
alias for a local file, or a ci-bin script to execute, or a disk 
location where you want to put a file, or a "proxý" link to another 
system, or a million other things possible.
Before Apache knows if the "/something" corresponds or not to some file 
on the local filesystem, it has to take some steps.
For that, it usually needs the information from the HTTP headers, so it 
will read and parse them.
It is only after that, that it may know that "/something" is a local 
file "/var/www/xyz/docs/subdir/abcdef.txt", and that it may, maybe, 
check the ACLs of the local file before it sends it back.
And , for example, if Apache has to check an ACL in order to decide, 
does it also need to know who you are, and if you have the right to get 
that file ?  If yes, then that information usually comes in HTTP 
headers, which Apache will need to parse first.

If you do not want Apache to do that, then there exist some ways, but 
they are not simple, because you need to turn Apache from a HTTP server 
into a server for some other protocol.

Then the question becomes : is it worth doing that work with Apache, or 
should you be using something else ?

If your idea is to have a process that can accept simple requests for 
local files via TCP/IP, and send them back or not depending on some file 
ACL, then you can write your own TCP server.  There are many examples 
available , and Google will help.
Or check this book for example :
Network Programming with Perl - Lincoln D.Stein
Publisher : Addison-Wesley

André

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org