SetHandler/mod_access interaction

[Dale Ghent <da...@elemental.org>]

Just want to note a few observations with .37-dev here.

I set up the mod_info and mod_status handlers by uncommenting what comes
in the stock httpd.conf, replacing the sample Allow/Deny lines in those
blocks with the relevant hostnames and IP addresses I require (basically
it's all the same stuff that I used in my 1.3 conf.) HostnameLookups is
set to On.

The problem is that clients from "foo.com" get a 403, and ".foo.com" is in
the Allow line of the server-status and server-info blocks. If I add the
IP, then everything is fine, and the mod_{info|status} pages are served
back to the client.

It seems that, even though HostnameLookups is on, mod_access is denying
the host for only URLs that are generated by a module invoked by
SetHandler, as is the case with "/server-info" and "/server-status" If the
IP is added, then all is fine. So I dont think mod_access is getting the
DNS lookup of the client before it processes the request.

DNS does work for these clients - both forward and reverse. the hostname
is subsequently logged in the access_log... so this may be a case of the
DNS lookup being done too late in the game?

--------------

On that note, in either of the above cases, the server tries to lstat
$SERVER_ROOT/server-status and such. This seems like a waste... perhaps we
can short-circuit that logic if we know a URL location is handled within a
module such as mod_info and mod_status?

I can provide truss output for those interested.

--------------

And finally, whilst trying to figure out the above problem, I noticed this
in my error_log when a 403 errordoc is generated:

[Tue May 21 17:09:49 2002] [error] [client 164.109.8.252] Invalid
expression "$REDIRECT_URL = /\/$/" in file
/local/apache2/error/HTTP_FORBIDDEN.html.var

Of course, those are stock errordocs. It seems like
HTTP_FORBIDDEN.html.var is the only one with that regex in it.

--------------

/dale

Re: SetHandler/mod_access interaction

[Zac Stevens <bu...@cryptocracy.com>]

Hi Dale,

On Tue, May 21, 2002 at 05:56:46PM -0400, Dale Ghent wrote:
> The problem is that clients from "foo.com" get a 403, and ".foo.com" is in
> the Allow line of the server-status and server-info blocks. If I add the
> IP, then everything is fine, and the mod_{info|status} pages are served
> back to the client.

I'm having a little trouble understanding exactly what you're doing here,
but if you're saying that the clients are connecting from a host whose
address resolves to "foo.com", then that is why ".foo.com" doesn't work.

The latter will match "<anything>.foo.com" but not "foo.com" itself.  Have
you tried adding "foo.com" to your Allow line?


My apologies if I'm barking up the wrong tree here...


Zac