RE: allow from based on database query (2.4)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I hadn’t want to mention what I was thinking of doing as an alternative, because I really hoped that there was a better answer that I had failed to read/find the documentation on!

 

My two solutions in mind were (a) the application that maintains the ip list writes out a fresh copy of the ip allow from config file and a cron job periodically restarts apache (b) my stored procedure that apache uses for checking passwords takes the ip address as an added parameter and have the database check the ip address. I don’t like (a) because it will require me to restart the server frequently or accept a long potential delay in updates to the ip table. I don’t like (b) because I would rather a user from an unauthorized address be completely blocked and not even redirected to login and when working on the config I would prefer separate queries/stored_procedures for ip and credentials.

 

 

From: Daniel Gruno [mailto:rumble@xxxxxxx]
Sent: Saturday, March 24, 2012 3:03 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: allow from based on database query (2.4)

 

On 24-03-2012 02:38, John Karr wrote:

I have an application that uses both ip and credentials authentication,
currently to update the "allow from" I have to edit a file and restart the
server. My next release will be using Apache 2.4 with dbd authentication, I
was wondering if there were a way to either have apache get its' ip address
list for "allow from" from the database or to dynamically update the list
apache was using without needing to restart the server. 
 
 
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
 

I have a way, but it's not necessarily pretty, and someone should probably shoot me for mentioning this.
What you can do, since the dawn of Man (or, since mod_rewrite), is use RewriteMap creatively and run it through a program, that checks if the IP is on a white-list, and if not, rewrite the URI to serve a static "forbidden!" file. The idea is that, as you can pass on any httpd argument, header etc in a rewrite, you can pass on both the IP and the request URI to a program, that then splits it up, checks the IP, and if it checks out, passes back the URI.

First off, you would need to apply something like this to your configuration:
<Directory "/path/to/forbidden/zone">
RewriteMap checkip prg:/path/to/checkip.pl
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}
</Directory>


You would then have a corresponding program (checkip.pl) running (httpd takes care of running this in the background for you):
#!/usr/bin/perl
$| = 1; # Turn off I/O buffering

sub DatabaseLookup {
    #doStuffHere();
}

while (<STDIN>) { #For each incoming IP request, look it up in the db.
    ($ip, $uri)  = split(/:/); #Separate the IP and the URI in the string httpd gave us
   
    #Run some checks here to see if the IP matches one on our list
    if (DatabaseLookup($ip) == 1) {
        print($uri); # Allow the request through, unaltered
    }
    else { # If the IP isn't on our list, then...
        print("/forbidden.html\n"); # Redirect to some static error file
    }
}


As mentioned, this is probably but one of the methods you could use, and it's prone to be a bottleneck if you have a lot of requests going on at once - but I've tested it and it works, so that's at least something.

I'm done - send in the firing squad.

With regards,
Daniel.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux