You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Eric <py...@gmail.com> on 2008/06/01 03:37:24 UTC

[users@httpd] Consequences of disabling mod_authz_host?

>From what I understand, mod_authz_host always performs two DNS lookups
per request when mod_authz_host is enabled, regardless of whether any
host-based blockings are used. I don't need that, in fact, the only
part of mod_authz_host I use is to set "Order allow,deny" and "Allow
from all" or "Deny from all".

If I disable mod_authz_host, what are the risks? Currently the only
blocks I have are from:

<Directory />
  Order allow,deny
  Deny from all
</Directory>

and

<FilesMatch "^\.svn">
  Order allow,deny
  Deny from all
</FilesMatch>

I can block the latter with mod_rewrite. Is the first even necessary?
It was in my distro's default httpd.conf.

Thanks!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Consequences of disabling mod_authz_host?

Posted by Joshua Slive <jo...@slive.ca>.

On Sat, May 31, 2008 at 9:37 PM, Eric <py...@gmail.com> wrote:
> From what I understand, mod_authz_host always performs two DNS lookups
> per request when mod_authz_host is enabled, regardless of whether any
> host-based blockings are used.

No, that's not true to the best of my knowledge. If it were true, it
would be a major bug. The lookups are performed only for hostnames (or
things that appear to mod_authz_host to be hostnames).

> I don't need that, in fact, the only
> part of mod_authz_host I use is to set "Order allow,deny" and "Allow
> from all" or "Deny from all".
>
> If I disable mod_authz_host, what are the risks? Currently the only
> blocks I have are from:
>
> <Directory />
>  Order allow,deny
>  Deny from all
> </Directory>
>
> and
>
> <FilesMatch "^\.svn">
>  Order allow,deny
>  Deny from all
> </FilesMatch>
>
> I can block the latter with mod_rewrite. Is the first even necessary?
> It was in my distro's default httpd.conf.

If you don't need host-based blocking, you can disable mod_authz_host.
The first block is basically just a safety feature to try to prevent
you from accidentally exposing things that you intend to be protected.
If the rest of your config is correct, it doesn't do anything.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org