You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michael Alipio <da...@yahoo.com> on 2008/06/19 10:11:11 UTC
[users@httpd] allow from "hostname" not working..
I have the following directives in .htaccess in one of
my directories.
<LiMIT HEAD GET POST>
order allow,deny
allow from myhost.dyndns.org
</LIMIT>
Now for the testing:
dig myhost.dyndns.org.. the hostname resolves
properly.
When i tried it on my browser, i kept getting denied.
When I looked at my error log, it says, denied by
server configuration....
When i looked at accesslog. i saw that when my pc
accessed the website, apache did reverse lookup on the
IP and it has the hostname given by my ISP. not the
one i registered in dyndns.org. Basically I just want
to only allow my dynamic IP workstation to access a
particular directory in my website. seems like "allow
from hostname" is not working for me. I'm using the
latest apache2.
Any idea what might be causing this?
I'm guessing, since apache learned the hostname of my
dynamic ip workstation via reverse lookups, when it
was about to process my LIMIT directives, it tried to
resolve the first hostname it learned. And when it did
it, it did not resolve to anything. I tried resolving
the hostname assigned by my ISP but it did not resolve
to any IP. so perhaps the IP only has reverse entries
and no forward..
Any idea how to fix this??
Thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] allow from "hostname" not working..
Posted by André Warnier <aw...@ice-sa.com>.
Michael Alipio wrote:
[...]
> Though I'm still wondering if there is a way to tell
> apache to just skip reverse resolving before
> evaluating the "allow from hostname" rule...
>
The rest is ok, but the phrase above shows that you are still missing a
part of the explanation.
Apache /does not know/ the hostname and domainname of the workstation
from which the request is sent. That information is not included in the
HTTP request from your browser.
Apache knows 3 things :
- the IP address from which the HTTP connection to itself is being made
- the hostname of the server that you are trying to reach
- the URL that you are requesting (of course)
(That's the essentials; there is more stuff, but nothing to do with the
IP addresses, domains, etc..)
So, Apache knows the IP address from which you are talking to it.
But if it wants to know which is the DNS name corresponding to that IP
address, it /must/ do a reverse DNS lookup.
And by saying "Allow from (domain)", you are telling it to do that.
You cannot stop it from doing that, or "Allow from (domain)" would never
work. Those two things depend absolutely on eachother.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] allow from "hostname" not working..
Posted by Michael Alipio <da...@yahoo.com>.
Hi,
Alright. I was right about the reverse lookup thing.
And I already thought about that "allow from
.myispdomain.com" and also thought that it wouldn't be
good idea because i would be allowing the entire IP
address space of my ISP. I think i'll probably just
write a script that will resolve the hostname of my
dyndns pc and just replace my "allow from
IP".htaccess.
Though I'm still wondering if there is a way to tell
apache to just skip reverse resolving before
evaluating the "allow from hostname" rule...
Thanks
> The first question is whether you should not just
> implement a simple
> authentication for your server. It's really easy if
> you do not have
> many users. Then you get rid of the IP-based
> control.
> Look here :
>
http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html
> and
> <Location />
> AuthType Basic (or Digest)
> AuthName "pirates be gone"
> AuthUserFile /web/users
> Require valid user
> </Location>
> and look up htpasswd to create the users.
>
> -- next, about what you are asking above --
>
> I think you have the reasoning almost right, but not
> 100%.
> When your httpd server receives the request, it
> knows only from which IP
> it is coming, it doesn't know any name (yet).
> When it encounters your "Allow from (domain)"
> line(s), it will try a DNS
> reverse lookup with the IP, to check if this IP
> corresponds to any of
> the domains given.
> This reverse DNS lookup however will (at best) give
> back the name given
> to this IP address by the dynamic address allocation
> system of your
> provider, e.g. something like
> "tip2345.dialup-timbuctu.myisp.net".
> This will not match the domain in the Allow
> directive, thus will be
> rejected. (Or worse, your ISP does not do reverse IP
> registration, and
> the request will return "NXdomain", and it will
> still not match in Apache).
>
> Not recommended solution :
> If it's not very critical, and you are quite sure
> that your server is
> well-configured, and you notice that the DNS name
> your ISP is giving you
> always ends in the same thing (like
> "dialup-timbuctu.myisp.net"), you
> could always put a directive "Allow from
> dialup-timbuctu.myisp.net", but
> understand what it does first, and don't tell anyone
> I told you to do
> that. It basically restricts the IPs allowed to
> access your server from
> several million to several tens of thousands.
> So don't do this at work.
> And forget I even mentioned that.
>
> Better :
> If you only need to do this occasionally, and have
> full control over the
> server, then find out your current IP address and
> replace your "Allow
> from (name)" by "Allow from (ip-address)" and
> restart Apache. You'll
> have to redo this each time your IP changes.
>
> If you do need this more often and find the above a
> pain, but still can
> restart your server whenever you want, then the
> simplest way may be a
> small script which will find out your IP address, go
> modify the Allow
> line above in httpd.conf, and restart your server.
> Then make this an
> icon on your desktop, so you can just click on it.
> Perl is your friend for things like that.
>
> If it's more permanent, then there might be another
> way, if you have a
> DNS domain at which you can ask for changes :
> It is possible to register a name in your own
> domain, and tell the DNS
> server to go look up the dyndns.org name that you
> registered to get the
> current IP address (*). Then your own domain's DNS
> server can answer
> reverse DNS queries (and you'll have to make sure
> that your httpd server
> is asking it first).
> Then instead of saying "Allow from xyz.dyndns.org",
> you would say "Allow
> from xyz.mydomain.com".
> If your httpd server is at work, buy a beer to the
> DNS guy.
> Of course, you will still have to make sure that the
> dyndns IP
> registration is kept current when your real IP
> changes, but I suppose
> you already do that.
>
> And finally, if you're really adventurous, you could
> write a mod_perl
> add-on module for Apache (as a PerlAccessHandler),
> that will do all this
> dynamically for you each time you connect. Then
> maybe the DNS guy will
> buy you a beer, because he could use it too.
> But maybe go check the CPAN first, someone else may
> have preceded you.
>
> There might be smarter ways to do this, and I'm sure
> other people have
> better ideas. But maybe then, you should tell on
> which platform you
> are, with which version of Apache.
>
> André
>
> (*) essentially, you are telling your own DNS server
> that
> "xyz.mycompany.com" is an alias for
> "xyz.dyndns.org".
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] allow from "hostname" not working..
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Michael Alipio wrote:
> I have the following directives in .htaccess in one of
> my directories.
>
> <LiMIT HEAD GET POST>
> order allow,deny
> allow from myhost.dyndns.org
> </LIMIT>
>
>
> Now for the testing:
> dig myhost.dyndns.org.. the hostname resolves
> properly.
>
>
> When i tried it on my browser, i kept getting denied.
> When I looked at my error log, it says, denied by
> server configuration....
>
>
> When i looked at accesslog. i saw that when my pc
> accessed the website, apache did reverse lookup on the
> IP and it has the hostname given by my ISP. not the
> one i registered in dyndns.org. Basically I just want
> to only allow my dynamic IP workstation to access a
> particular directory in my website. seems like "allow
> from hostname" is not working for me. I'm using the
> latest apache2.
>
> Any idea what might be causing this?
>
The first question is whether you should not just implement a simple
authentication for your server. It's really easy if you do not have
many users. Then you get rid of the IP-based control.
Look here :
http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html
and
<Location />
AuthType Basic (or Digest)
AuthName "pirates be gone"
AuthUserFile /web/users
Require valid user
</Location>
and look up htpasswd to create the users.
-- next, about what you are asking above --
I think you have the reasoning almost right, but not 100%.
When your httpd server receives the request, it knows only from which IP
it is coming, it doesn't know any name (yet).
When it encounters your "Allow from (domain)" line(s), it will try a DNS
reverse lookup with the IP, to check if this IP corresponds to any of
the domains given.
This reverse DNS lookup however will (at best) give back the name given
to this IP address by the dynamic address allocation system of your
provider, e.g. something like "tip2345.dialup-timbuctu.myisp.net".
This will not match the domain in the Allow directive, thus will be
rejected. (Or worse, your ISP does not do reverse IP registration, and
the request will return "NXdomain", and it will still not match in Apache).
Not recommended solution :
If it's not very critical, and you are quite sure that your server is
well-configured, and you notice that the DNS name your ISP is giving you
always ends in the same thing (like "dialup-timbuctu.myisp.net"), you
could always put a directive "Allow from dialup-timbuctu.myisp.net", but
understand what it does first, and don't tell anyone I told you to do
that. It basically restricts the IPs allowed to access your server from
several million to several tens of thousands.
So don't do this at work.
And forget I even mentioned that.
Better :
If you only need to do this occasionally, and have full control over the
server, then find out your current IP address and replace your "Allow
from (name)" by "Allow from (ip-address)" and restart Apache. You'll
have to redo this each time your IP changes.
If you do need this more often and find the above a pain, but still can
restart your server whenever you want, then the simplest way may be a
small script which will find out your IP address, go modify the Allow
line above in httpd.conf, and restart your server. Then make this an
icon on your desktop, so you can just click on it.
Perl is your friend for things like that.
If it's more permanent, then there might be another way, if you have a
DNS domain at which you can ask for changes :
It is possible to register a name in your own domain, and tell the DNS
server to go look up the dyndns.org name that you registered to get the
current IP address (*). Then your own domain's DNS server can answer
reverse DNS queries (and you'll have to make sure that your httpd server
is asking it first).
Then instead of saying "Allow from xyz.dyndns.org", you would say "Allow
from xyz.mydomain.com".
If your httpd server is at work, buy a beer to the DNS guy.
Of course, you will still have to make sure that the dyndns IP
registration is kept current when your real IP changes, but I suppose
you already do that.
And finally, if you're really adventurous, you could write a mod_perl
add-on module for Apache (as a PerlAccessHandler), that will do all this
dynamically for you each time you connect. Then maybe the DNS guy will
buy you a beer, because he could use it too.
But maybe go check the CPAN first, someone else may have preceded you.
There might be smarter ways to do this, and I'm sure other people have
better ideas. But maybe then, you should tell on which platform you
are, with which version of Apache.
André
(*) essentially, you are telling your own DNS server that
"xyz.mycompany.com" is an alias for "xyz.dyndns.org".
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org