You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fa...@apache.org on 2016/03/10 14:33:32 UTC
svn commit: r1734412 - in /httpd/httpd/trunk:
docs/log-message-tags/next-number docs/manual/mod/mod_authz_host.xml
modules/aaa/mod_authz_host.c
Author: fabien
Date: Thu Mar 10 13:33:31 2016
New Revision: 1734412
URL: http://svn.apache.org/viewvc?rev=1734412&view=rev
Log:
mod_authz_host: add a new "forward-dns" authorization type
This new type does not rely on reverse DNS lookups.
Modified:
httpd/httpd/trunk/docs/log-message-tags/next-number
httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml
httpd/httpd/trunk/modules/aaa/mod_authz_host.c
Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1734412&r1=1734411&r2=1734412&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Thu Mar 10 13:33:31 2016
@@ -1 +1 @@
-3354
+3357
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml?rev=1734412&r1=1734411&r2=1734412&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml Thu Mar 10 13:33:31 2016
@@ -58,7 +58,8 @@ address)</description>
<p>Apache's <directive module="mod_authz_core">Require</directive>
directive is used during the authorization phase to ensure that a user is allowed or
denied access to a resource. mod_authz_host extends the
- authorization types with <code>ip</code>, <code>host</code> and <code>local</code>.
+ authorization types with <code>ip</code>, <code>host</code>,
+ <code>forward-dns</code> and <code>local</code>.
Other authorization types may also be
used but may require that additional authorization modules be loaded.</p>
@@ -157,6 +158,29 @@ Require host .net example.edu
</section>
+<section id="reqfwddns"><title>Require forward-dns</title>
+
+ <p>The <code>forward-dns</code> provider allows access to the server
+ to be controlled based on simple host names. When
+ <code>Require forward-dns <var>host-name</var></code> is specified,
+ all IP addresses corresponding to <code><var>host-name</var></code>
+ are allowed access.</p>
+
+ <p>In contrast to the <code>host</code> provider, this provider does not
+ rely on reverse DNS lookups: it simply queries the DNS for the host name
+ and allows a client if its IP matches. As a consequence, it will only
+ work with host names, not domain names. However, as the reverse DNS is
+ not used, it will work with clients which use a dynamic DNS service.</p>
+
+ <highlight language="config">
+Require forward-dns bla.example.org
+ </highlight>
+
+ <p>A client the IP of which is resolved from the name
+ <code>bla.example.org</code> will be granted access.</p>
+
+</section>
+
<section id="reqlocal"><title>Require local</title>
<p>The <code>local</code> provider allows access to the server if any
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_host.c?rev=1734412&r1=1734411&r2=1734412&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_host.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c Thu Mar 10 13:33:31 2016
@@ -216,6 +216,71 @@ static authz_status host_check_authoriza
return AUTHZ_DENIED;
}
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
+{
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_line;
+ const char *require, *t;
+ char *w;
+
+ /* the require line is an expression, which is evaluated now. */
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+ "Can't evaluate require expression: %s", err);
+ return AUTHZ_DENIED;
+ }
+
+ /* tokenize expected list of names */
+ t = require;
+ while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+
+ apr_sockaddr_t *sa;
+ apr_status_t rv;
+ char *hash_ptr;
+
+ /* stop on apache configuration file comments */
+ if ((hash_ptr = ap_strchr(w, '#'))) {
+ if (hash_ptr == w) {
+ break;
+ }
+ *hash_ptr = '\0';
+ }
+
+ /* does the client ip match one of the names? */
+ rv = apr_sockaddr_info_get(&sa, w, APR_UNSPEC, 0, 0, r->pool);
+ if (rv == APR_SUCCESS) {
+
+ while (sa) {
+ int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+ "access check for %s as '%s': %s",
+ r->useragent_ip, w, match? "yes": "no");
+ if (match) {
+ return AUTHZ_GRANTED;
+ }
+
+ sa = sa->next;
+ }
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+ "No sockaddr info for \"%s\"", w);
+ }
+
+ /* stop processing, we are in a comment */
+ if (hash_ptr) {
+ break;
+ }
+ }
+
+ return AUTHZ_DENIED;
+}
+
static authz_status local_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
@@ -265,6 +330,12 @@ static const authz_provider authz_host_p
&host_parse_config,
};
+static const authz_provider authz_forward_dns_provider =
+{
+ &forward_dns_check_authorization,
+ &host_parse_config,
+};
+
static const authz_provider authz_local_provider =
{
&local_check_authorization,
@@ -309,6 +380,10 @@ static void register_hooks(apr_pool_t *p
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
AUTHZ_PROVIDER_VERSION,
&authz_host_provider, AP_AUTH_INTERNAL_PER_CONF);
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns",
+ AUTHZ_PROVIDER_VERSION,
+ &authz_forward_dns_provider,
+ AP_AUTH_INTERNAL_PER_CONF);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "local",
AUTHZ_PROVIDER_VERSION,
&authz_local_provider, AP_AUTH_INTERNAL_PER_CONF);