Re: allow from "hostname" not working..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.

Michael Alipio wrote:
I have the following directives in .htaccess in one of
my directories.

<LiMIT HEAD GET POST>
order allow,deny
allow from myhost.dyndns.org
</LIMIT>


Now for the testing:
dig myhost.dyndns.org.. the hostname resolves
properly.


When i tried it on my browser, i kept getting denied.
When I looked at my error log, it says, denied by
server configuration....


When i looked at accesslog. i saw that when my pc
accessed the website, apache did reverse lookup on the
IP and it has the hostname given by my ISP. not the
one i registered in dyndns.org. Basically I just want
to only allow my dynamic IP workstation to access a particular directory in my website. seems like "allow
from hostname" is not working for me. I'm using the
latest apache2.

Any idea what might be causing this?


The first question is whether you should not just implement a simple authentication for your server. It's really easy if you do not have many users. Then you get rid of the IP-based control.
Look here :
http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html
and
<Location />
AuthType Basic  (or Digest)
AuthName "pirates be gone"
AuthUserFile /web/users
Require valid user
</Location>
and look up htpasswd to create the users.

-- next, about what you are asking above --

I think you have the reasoning almost right, but not 100%.
When your httpd server receives the request, it knows only from which IP it is coming, it doesn't know any name (yet). When it encounters your "Allow from (domain)" line(s), it will try a DNS reverse lookup with the IP, to check if this IP corresponds to any of the domains given. This reverse DNS lookup however will (at best) give back the name given to this IP address by the dynamic address allocation system of your provider, e.g. something like "tip2345.dialup-timbuctu.myisp.net". This will not match the domain in the Allow directive, thus will be rejected. (Or worse, your ISP does not do reverse IP registration, and the request will return "NXdomain", and it will still not match in Apache).

Not recommended solution :
If it's not very critical, and you are quite sure that your server is well-configured, and you notice that the DNS name your ISP is giving you always ends in the same thing (like "dialup-timbuctu.myisp.net"), you could always put a directive "Allow from dialup-timbuctu.myisp.net", but understand what it does first, and don't tell anyone I told you to do that. It basically restricts the IPs allowed to access your server from several million to several tens of thousands.
So don't do this at work.
And forget I even mentioned that.

Better :
If you only need to do this occasionally, and have full control over the server, then find out your current IP address and replace your "Allow from (name)" by "Allow from (ip-address)" and restart Apache. You'll have to redo this each time your IP changes.

If you do need this more often and find the above a pain, but still can restart your server whenever you want, then the simplest way may be a small script which will find out your IP address, go modify the Allow line above in httpd.conf, and restart your server. Then make this an icon on your desktop, so you can just click on it.
Perl is your friend for things like that.

If it's more permanent, then there might be another way, if you have a DNS domain at which you can ask for changes : It is possible to register a name in your own domain, and tell the DNS server to go look up the dyndns.org name that you registered to get the current IP address (*). Then your own domain's DNS server can answer reverse DNS queries (and you'll have to make sure that your httpd server is asking it first). Then instead of saying "Allow from xyz.dyndns.org", you would say "Allow from xyz.mydomain.com".
If your httpd server is at work, buy a beer to the DNS guy.
Of course, you will still have to make sure that the dyndns IP registration is kept current when your real IP changes, but I suppose you already do that.

And finally, if you're really adventurous, you could write a mod_perl add-on module for Apache (as a PerlAccessHandler), that will do all this dynamically for you each time you connect. Then maybe the DNS guy will buy you a beer, because he could use it too.
But maybe go check the CPAN first, someone else may have preceded you.

There might be smarter ways to do this, and I'm sure other people have better ideas. But maybe then, you should tell on which platform you are, with which version of Apache.

André

(*) essentially, you are telling your own DNS server that "xyz.mycompany.com" is an alias for "xyz.dyndns.org".


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux