You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by apache a <aa...@gmail.com> on 2008/07/21 11:58:58 UTC
[users@httpd] ACL - access control lists
does apache servers use ACLs to check conditions based on the incoming http
request URL, even before the header is parsed?
Re: [users@httpd] ACL - access control lists
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, Jul 21, 2008 at 5:58 AM, apache a <aa...@gmail.com> wrote:
> does apache servers use ACLs to check conditions based on the incoming http
> request URL, even before the header is parsed?
I see this is the third time you've asked variants on this question.
But without actually explaining what you are trying to do, you're just
wasting your time.
But to answer directly, Apache httpd answers HTTP requests with HTTP
responses. To do that, it almost always needs to parse the headers,
even if it will wind up denying the request due to, for example, an IP
address forbidden by mod_authz_host.
You can look at the third-party module mod_security, which does have
the ability to drop requests without any response. Or you can use a
firewall to do this job.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ACL - access control lists
Posted by André Warnier <aw...@ice-sa.com>.
apache a wrote:
> does apache servers use ACLs to check conditions based on the incoming http
> request URL, even before the header is parsed?
>
You have already asked that question, in different ways, several times.
And you have already received responses several times, all basically
saying no.
Unless you describe what exactly you would like to achieve, nobody is
going to be able to give you another answer.
Be logical :
Apache is basically an HTTP server, designed to handle HTTP requests.
It receives requests, which usually consist of a first line like this :
GET /something HTTP/x.x OR
POST /something/else?a=b HTTP/x.x OR
PUT /something/else/again.lst HTTP/x.x OR
MKCOL /somedir HTTP/x.x
...
followed usually by several HTTP header lines.
The "GET", "POST" etc.. above stand for what you would like Apache to
do, and the "/something" stands for "to what would you like Apache to do
this".
Apache does not know, at first, that "/something" is a local file, or an
alias for a local file, or a ci-bin script to execute, or a disk
location where you want to put a file, or a "proxý" link to another
system, or a million other things possible.
Before Apache knows if the "/something" corresponds or not to some file
on the local filesystem, it has to take some steps.
For that, it usually needs the information from the HTTP headers, so it
will read and parse them.
It is only after that, that it may know that "/something" is a local
file "/var/www/xyz/docs/subdir/abcdef.txt", and that it may, maybe,
check the ACLs of the local file before it sends it back.
And , for example, if Apache has to check an ACL in order to decide,
does it also need to know who you are, and if you have the right to get
that file ? If yes, then that information usually comes in HTTP
headers, which Apache will need to parse first.
If you do not want Apache to do that, then there exist some ways, but
they are not simple, because you need to turn Apache from a HTTP server
into a server for some other protocol.
Then the question becomes : is it worth doing that work with Apache, or
should you be using something else ?
If your idea is to have a process that can accept simple requests for
local files via TCP/IP, and send them back or not depending on some file
ACL, then you can write your own TCP server. There are many examples
available , and Google will help.
Or check this book for example :
Network Programming with Perl - Lincoln D.Stein
Publisher : Addison-Wesley
André
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org