You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Fabien <fa...@apache.org> on 2016/01/14 09:38:25 UTC
Re: access control for dynamic hosts
Hello Apache devs,
Would anyone have an opinion, please?
Although I can just commit the proposed changes, a formal go would be
nice.
On Sun, 20 Dec 2015, Fabien wrote:
> Date: Sun, 20 Dec 2015 09:44:55 +0100 (CET)
> From: Fabien <fa...@apache.org>
> Reply-To: dev@httpd.apache.org
> To: APACHE development mailing list <de...@httpd.apache.org>
> Subject: access control for dynamic hosts
>
>
> Hello folks,
>
> I have a simple access control use case for which I have not found a clean
> solution.
>
> I want to control access to a service based on the name of the client,
> however the client is a dynamic host, which implies that:
>
> (1) I do not have any control about the reverse DNS
> => this rules out "Require host"
>
> (2) the IP may change arbitrarily
> => this rules out "Require ip"
>
> By browsing around it seems that I'm not alone having this issue, and I have
> not found any solution for that with apache configuration, nor a matching
> module in "modules.apache.org" listing.
>
> The current workaround is to update the IP manually when it fails. Although I
> could automate (say query the ip periodically and update & reload the conf if
> there is a change), ISTM that it really belongs to apache configuration.
>
> I would like something like "Require XXX foo.dynamic-dns.somewhere" (where
> XXX could be "name", "hostname", "dynamic", ...) which would query the NS
> when the HTTP request is received and check that the corresponding ip is the
> client IP.
>
> I'm planing to develop a small module for that, and as it is somehow quite a
> basic service it could be a candidate for being added to
> "modules/aaa/mod_authz_host.c".
>
> Another approach could be to extend apache expressions with a function
> to query the DNS, but that seems a little overkill.
>
> Any thoughts?
>
>
--
Fabien.
Re: access control for dynamic hosts
Posted by fa...@apache.org.
>> How about "Require dns" (and mod_authz_dns) for the name?
>
> I think it is reasonable to extend authz_host to disable the reverse
> check when requested (via some new first arg to require)
Note that the inner working logic is different, but this is an
implementation detail.
What syntax would be appropriate?
Require forward host foo.apache.org
Require host forward-only foo.apache.org
Or maybe just a tag in front of the names?
Require host mydomain.org !mydynahost.domain.org
Require host mydomain.org *mydynahost.domain.org
Require host mydomain.org ?mydynahost.domain.org
???
--
Fabien.
Re: access control for dynamic hosts
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, Mar 1, 2016 at 4:01 PM, Yann Ylavic <yl...@gmail.com> wrote:
> On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener <co...@gmail.com> wrote:
>> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic <yl...@gmail.com> wrote:
>>> How about "Require dns" (and mod_authz_dns) for the name?
>>
>> I think it is reasonable to extend authz_host to disable the reverse
>> check when requested (via some new first arg to require)
>
> Good idea.
Oups, it seems this has been abandoned already :p
Re: access control for dynamic hosts
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic <yl...@gmail.com> wrote:
>> How about "Require dns" (and mod_authz_dns) for the name?
>
> I think it is reasonable to extend authz_host to disable the reverse
> check when requested (via some new first arg to require)
Good idea.
Re: access control for dynamic hosts
Posted by Eric Covener <co...@gmail.com>.
On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic <yl...@gmail.com> wrote:
> How about "Require dns" (and mod_authz_dns) for the name?
I think it is reasonable to extend authz_host to disable the reverse
check when requested (via some new first arg to require)
RE: access control for dynamic hosts
Posted by fa...@apache.org.
Hello Rick,
> Forward doesn’t mean dynamic, however, and using one particular solution
> like that is misleading, IMO. Using “forward-dns” makes more sense to
> me.
Yep, with such a name what it does is pretty clear.
> That said, how would you intend to handle multiple A records for the
> same name: look them all up and store in a table, or support only one A
> record per name? At a minimum, I think that needs to be clearly
> documented.
Sure. The "poc" implementation posted up-thread walks over all the records
till a match is found, or this is a deny.
There is no attempt at caching anything, as the actual use case is to deal
with dynamic dns hosts, so with pretty short refresh times. Caching is the
problem of the dns resolver.
--
Fabien.
RE: access control for dynamic hosts
Posted by "Houser, Rick" <ri...@jackson.com>.
Forward doesn’t mean dynamic, however, and using one particular solution like that is misleading, IMO. Using “forward-dns” makes more sense to me.
That said, how would you intend to handle multiple A records for the same name: look them all up and store in a table, or support only one A record per name? At a minimum, I think that needs to be clearly documented.
Rick Houser
From: Yehuda Katz [mailto:yehuda@ymkatz.net]
Sent: Tuesday, March 01, 2016 10:09 AM
To: dev@httpd.apache.org
Subject: Re: access control for dynamic hosts
dyndns is a company name, but it seems to be synonymous for a lot of systems with dynamic-dns.
That would make a recognizable option for a lot of people.
- Y
On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener <co...@gmail.com>> wrote:
On Tue, Mar 1, 2016 at 9:53 AM, <fa...@apache.org>> wrote:
> Maybe "Require ip" could be extended instead of using a new name:
>
> "Require ip myserver.apache.org<http://myserver.apache.org>"
Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused. Like "forward-dns"
--
Eric Covener
covener@gmail.com<ma...@gmail.com>
Re: access control for dynamic hosts
Posted by Yehuda Katz <ye...@ymkatz.net>.
dyndns is a company name, but it seems to be synonymous for a lot of
systems with dynamic-dns.
That would make a recognizable option for a lot of people.
- Y
On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Mar 1, 2016 at 9:53 AM, <fa...@apache.org> wrote:
> > Maybe "Require ip" could be extended instead of using a new name:
> >
> > "Require ip myserver.apache.org"
>
>
> Unfortunately I think you need to pick an awkward name here so it
> cannot be confused/misused. Like "forward-dns"
>
> --
> Eric Covener
> covener@gmail.com
>
Re: [VOTE] access control for dynamic hosts
Posted by Fabien <fa...@apache.org>.
>> Currently 2 votes:
>>
>> +1: Mario Brandt, Yann Ylavic
>
> I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
I just committed the changes as r1734412:
https://svn.apache.org/viewvc?view=revision&revision=1734412
--
Fabien.
Re: [VOTE] access control for dynamic hosts
Posted by fa...@apache.org.
Hello Yann,
>> +1: Mario Brandt, Yann Ylavic
>
> I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
Ok, I'll do a last check and commit soon.
--
Fabien.
Re: [VOTE] access control for dynamic hosts
Posted by fa...@apache.org.
Hello Yann,
> I guess this question is for me, not the doc :)
Yep!
> [...] So, finally, mentioning that *any* ip/host-based authz should be
> combined with other authz/authn (SSL certificates, credentials schemes,
> ...) for stronger requirements may be the way to go.
I agree that combining authz is the way to go, esp. with sensitive
applications which are more and more hosted outside of organizations, or
even provided as SaaS.
I'm not sure of a good place to discuss authorization policies in general
in the documentation though.
> Or maybe simply not change the doc since all this might be quite obvious...
I would be fine with this solution:-)
--
Fabien.
Re: [VOTE] access control for dynamic hosts
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Fabien,
On Wed, Mar 23, 2016 at 6:12 PM, <fa...@apache.org> wrote:
>
> How about adding something like:
>
> From a security perspective, getting access to a protected page is somehow
> easier with "forward-dns" because the attacker needs only to control the DNS
> for the domain, while they would also need to control the reverse DNS with
> "host". Now, if you have important confidential data, they would not be
> only protected by host-based authorizations, would they?
I guess this question is for me, not the doc :)
Right, host-based is not the state of the art of authorizations, that
could also be documented for both "forward-dns" and "host"... maybe
without asking for an agreement from the reader? ;)
But reverse DNS is actually also easier to control than forward
anyway, so in both cases it really boils down to controlling the
configured host's domain (or the DNS/resolver used by the server).
So, finally, mentioning that *any* ip/host-based authz should be
combined with other authz/authn (SSL certificates, credentials
schemes, ...) for stronger requirements may be the way to go.
Or maybe simply not change the doc since all this might be quite obvious...
Regards,
Yann.
Re: [VOTE] access control for dynamic hosts
Posted by fa...@apache.org.
Hello Yann,
> ylavic: I would have liked more (doc) emphasis on the lower security of
> "Require forward-dns" vs "Require host"'s double DNS lookup
How about adding something like:
>From a security perspective, getting access to a protected page is somehow
easier with "forward-dns" because the attacker needs only to control the
DNS for the domain, while they would also need to control the reverse DNS
with "host". Now, if you have important confidential data, they would not
be only protected by host-based authorizations, would they?
--
Fabien.
Re: [VOTE] access control for dynamic hosts
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Fabien,
On Wed, Mar 9, 2016 at 5:44 PM, <fa...@apache.org> wrote:
>
> Currently 2 votes:
>
> +1: Mario Brandt, Yann Ylavic
I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
You may have more feedbacks when done...
Regards,
Yann.
Re: [VOTE] access control for dynamic hosts
Posted by fa...@apache.org.
> I'm proposing to commit the patch if I'm given a go.
Currently 2 votes:
+1: Mario Brandt, Yann Ylavic
--
Fabien.
Re: access control for dynamic hosts (vote?)
Posted by Mario Brandt <jb...@gmail.com>.
+1
On 6 March 2016 at 14:12, Fabien <fa...@apache.org> wrote:
>
>> Attached is a patch against the sources, including a documentation, which
>> use the syntax "Require forward-dns foo.apache.org".
>
>
> Here is a v2 which adds a missing "/" in the XML documentation.
>
> --
> Fabien.
Re: access control for dynamic hosts (vote?)
Posted by Fabien <fa...@apache.org>.
> Attached is a patch against the sources, including a documentation, which use
> the syntax "Require forward-dns foo.apache.org".
Here is a v2 which adds a missing "/" in the XML documentation.
--
Fabien.
Re: access control for dynamic hosts (vote?)
Posted by Yann Ylavic <yl...@gmail.com>.
On Sun, Mar 6, 2016 at 8:13 AM, Fabien <fa...@apache.org> wrote:
>
> I'm proposing to commit the patch if I'm given a go.
>
> Vote?
LGTM, +1
Regards,
Yann.
Re: access control for dynamic hosts (vote?)
Posted by Fabien <fa...@apache.org>.
Hello Apache developers,
> Unfortunately I think you need to pick an awkward name here so it
> cannot be confused/misused. Like "forward-dns"
Attached is a patch against the sources, including a documentation,
which use the syntax "Require forward-dns foo.apache.org".
The second file is the same extension as an external module, for easy
testing. The only difference with the integrated version is the error
messages text which are given the function name instead of en APLOGNO, and
the absence of documentation.
I'm proposing to commit the patch if I'm given a go.
Vote?
--
Fabien.
Re: access control for dynamic hosts
Posted by Eric Covener <co...@gmail.com>.
On Tue, Mar 1, 2016 at 9:53 AM, <fa...@apache.org> wrote:
> Maybe "Require ip" could be extended instead of using a new name:
>
> "Require ip myserver.apache.org"
Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused. Like "forward-dns"
--
Eric Covener
covener@gmail.com
Re: access control for dynamic hosts
Posted by fa...@apache.org.
Hello Yann,
> [...]
>
> Looks good to me.
>
> It would have to be documented though, especially the difference with
> "Require host" and maybe their complementarity (wrt security).
Sure, it needs a documentation, obviously. I will not commit anything
without a doc.
> How about "Require dns" (and mod_authz_dns) for the name?
Hmm. Note that "Require host" also uses the DNS, doubly so. I'm not sure
that naming one "dns" might not suggest that the other ones would not use
it?
I think that "Require host" should really be name "Require domain" because
it is what it does, then "Require host" would be available... but this is
too late:-)
Maybe "Require ip" could be extended instead of using a new name:
"Require ip myserver.apache.org"
Would query the DNS to get the IP when checking for the authorization.
Not sure that it is a good idea, though.
--
Fabien.
Re: access control for dynamic hosts
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Fabien,
On Thu, Jan 14, 2016 at 9:38 AM, Fabien <fa...@apache.org> wrote:
>
> Would anyone have an opinion, please?
>
> Although I can just commit the proposed changes, a formal go would be nice.
Looks good to me.
It would have to be documented though, especially the difference with
"Require host" and maybe their complementarity (wrt security).
How about "Require dns" (and mod_authz_dns) for the name?
Regards,
Yann.