On 25-03-2012 00:12, John Karr wrote:
I
hadn’t want to mention what I was thinking of doing as an
alternative, because I really hoped that there was a better
answer that I had failed to read/find the documentation on!
My
two solutions in mind were (a) the application that
maintains the ip list writes out a fresh copy of the ip
allow from config file and a cron job periodically restarts
apache (b) my stored procedure that apache uses for checking
passwords takes the ip address as an added parameter and
have the database check the ip address. I don’t like (a)
because it will require me to restart the server frequently
or accept a long potential delay in updates to the ip table.
I don’t like (b) because I would rather a user from an
unauthorized address be completely blocked and not even
redirected to login and when working on the config I would
prefer separate queries/stored_procedures for ip and
credentials.
It's still only early Monday morning - perhaps some wiz kid will
wake up and give the right answer soon.
In the meantime; httpd comes with a set of modules and directives
that will satisfy 99% of the population, but there will always be
things that have either not been thought of, or are better suited as
third party modules. There is, after all, a very useful API built
into httpd that you can make use of rather easy and fast if you have
special needs for your web server. So, when in doubt, make a module!
And so I did; I made an example module that takes a text file (with
a caching mechanism for only reading it if/when it updates), rifles
through it, and checks if an IP is on the list or not. The example
module source code can be found at
http://www.humbedooh.com/mod_gatekeeper.zip and works with 2.4. The
simple directives that you can put into place are:
<Location /foo/bar>
GKEngine on
GKAllow ip /foo/bar/allowed_ips.txt
GKDeny ip /foo/bar/denied_ips.txt
</Location>
This is somewhat like writing a new .htaccess with updated
rules whenever the IP list changes, but it has the advantage of
being significantly faster in its execution since it only reads
changes to your list when they occur.
One could (and I probably will) continue to work on this module,
eventually allowing one to make more complex requirements using
mod_dbd as a database gateway, such as:
<Location /foo>
GKAllow REMOTE_HOST in mod_dbd using "SELECT `ip`
FROM `grantedlist` WHERE `ip` = ?"
GKAllow REMOTE_USER,REMOTE_PASSWORD in mod_dbd using
"SELECT `user` FROM `grantedusers` WHERE `user` = ? AND
`password` = MD5(?)"
GKDeny from file /foo/bar/deny.txt
</Location>
I'm guessing this is more along the lines you had in mind? If so,
I'll likely continue to work on this module over the course of the
summer, and if it wasn't exactly what you had in mind, any input or
opinions you may have are of course very welcome either on users@,
or private to humbedooh@xxxxxxxxxx.
With regards,
Daniel.
|
