You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@mch.sni.de> on 1997/10/18 19:09:17 UTC
Re: [Announcement]: Apache 1.3beta2 Released (fwd)
Not acked
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: [Announcement]: Apache 1.3beta2 Released (fwd)
Posted by Marc Slemko <ma...@worldgate.com>.
On Sat, 18 Oct 1997, Brian Behlendorf wrote:
> >I am wondering when/if apache will have a compile time option to use
> >/etc/hosts.(allow|deny) on the fly....
> >
> >I know it can be done out of /etc/inetd.conf, but that is inefficient (so
> >the docs say).
You really don't want to use inetd mode.
> >
> >It would be a very nice option.
>
> Agreed - it would probably be pretty easy to do, too. Use mod_access as a
> base, and figure out how often you'll want to open /etc/hosts (once at
> startup/restart, every hit? etc.). Sounds like a great first Apache
> programming project!
The tcpd model allows for an easy hack of adding checks when the
connection is first received that call the libwrap function to check if
access should be allowed, and if not abort the connection right there.
This is a very raw access control, since tcpd doesn't really allow for
anything better.
Below is the start of a hacked change to do this that I was playing around
in mid 1.2 beta. It isn't complete and doesn't fit into the current
sources (or even 1.2 sources) very well, but shows the concept.
The biggest thing that has to be done (aside from cleaning it up)
is to do the stuff required so that you pass the hostname to hosts_ctl
and save it in Apache so the lookup doesn't have to be done twice.
Index: http_main.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_main.c,v
retrieving revision 1.101
diff -u -r1.101 http_main.c
--- http_main.c 1997/01/01 18:10:20 1.101
+++ http_main.c 1997/01/07 06:52:26
@@ -121,6 +121,11 @@
#endif
#endif
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+
DEF_Explain
@@ -1607,12 +1612,27 @@
log_unixerr("accept",NULL,"socket error: accept failed", server_conf);
}
+
accept_mutex_off(); /* unlock after "accept" */
clen = sizeof(sa_server);
if(getsockname(csd, &sa_server, &clen) < 0) {
log_unixerr("getsockname", NULL, NULL, server_conf);
continue;
+ }
+
+ {
+ struct sockaddr_in *client = &sa_client;
+ log_printf(server_conf, "trying access for %s.\n", inet_ntoa(client->sin_addr));
+ if (!(hosts_ctl("apache", STRING_UNKNOWN, inet_ntoa(client->sin_addr), STRING_UNKNOWN))){
+ log_printf(server_conf, "denying access for client");
+ shutdown(csd, 2);
+ close (csd);
+ csd = -1;
+ continue;
+ }
}
sock_disable_nagle(csd);
Re: [Announcement]: Apache 1.3beta2 Released (fwd)
Posted by Brian Behlendorf <br...@organic.com>.
>I am wondering when/if apache will have a compile time option to use
>/etc/hosts.(allow|deny) on the fly....
>
>I know it can be done out of /etc/inetd.conf, but that is inefficient (so
>the docs say).
>
>It would be a very nice option.
Agreed - it would probably be pretty easy to do, too. Use mod_access as a
base, and figure out how often you'll want to open /etc/hosts (once at
startup/restart, every hit? etc.). Sounds like a great first Apache
programming project!
>ps -- thanks for your work on the project..... if I had any programming
>skills, I'd be happy to help.... but I don't :-(
It's okay, we've never held up good programming skills as an absolute
requirement :)
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"it's a big world, with lots of records to play." - sig brian@organic.com