Re: allow from based on database query (2.4)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25-03-2012 00:12, John Karr wrote:

I hadn’t want to mention what I was thinking of doing as an alternative, because I really hoped that there was a better answer that I had failed to read/find the documentation on!

 

My two solutions in mind were (a) the application that maintains the ip list writes out a fresh copy of the ip allow from config file and a cron job periodically restarts apache (b) my stored procedure that apache uses for checking passwords takes the ip address as an added parameter and have the database check the ip address. I don’t like (a) because it will require me to restart the server frequently or accept a long potential delay in updates to the ip table. I don’t like (b) because I would rather a user from an unauthorized address be completely blocked and not even redirected to login and when working on the config I would prefer separate queries/stored_procedures for ip and credentials.

 

It's still only early Monday morning - perhaps some wiz kid will wake up and give the right answer soon.
In the meantime; httpd comes with a set of modules and directives that will satisfy 99% of the population, but there will always be things that have either not been thought of, or are better suited as third party modules. There is, after all, a very useful API built into httpd that you can make use of rather easy and fast if you have special needs for your web server. So, when in doubt, make a module!

And so I did; I made an example module that takes a text file (with a caching mechanism for only reading it if/when it updates), rifles through it, and checks if an IP is on the list or not. The example module source code can be found at http://www.humbedooh.com/mod_gatekeeper.zip and works with 2.4. The simple directives that you can put into place are:

<Location /foo/bar>
    GKEngine on
    GKAllow ip /foo/bar/allowed_ips.txt
    GKDeny ip /foo/bar/denied_ips.txt
</Location>

This is somewhat like writing a new .htaccess with updated rules whenever the IP list changes, but it has the advantage of being significantly faster in its execution since it only reads changes to your list when they occur.

One could (and I probably will) continue to work on this module, eventually allowing one to make more complex requirements using mod_dbd as a database gateway, such as:
<Location /foo>
    GKAllow REMOTE_HOST in mod_dbd using "SELECT `ip` FROM `grantedlist` WHERE `ip` = ?"
    GKAllow REMOTE_USER,REMOTE_PASSWORD in mod_dbd using "SELECT `user` FROM `grantedusers` WHERE `user` = ? AND `password` = MD5(?)"
    GKDeny from file /foo/bar/deny.txt
</Location>


I'm guessing this is more along the lines you had in mind? If so, I'll likely continue to work on this module over the course of the summer, and if it wasn't exactly what you had in mind, any input or opinions you may have are of course very welcome either on users@, or private to humbedooh@xxxxxxxxxx.

With regards,
Daniel.

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux