Hi,
Alright. I was right about the reverse lookup thing.
And I already thought about that "allow from
.myispdomain.com" and also thought that it wouldn't be
good idea because i would be allowing the entire IP
address space of my ISP. I think i'll probably just
write a script that will resolve the hostname of my
dyndns pc and just replace my "allow from
IP".htaccess.
Though I'm still wondering if there is a way to tell
apache to just skip reverse resolving before
evaluating the "allow from hostname" rule...
Thanks
> The first question is whether you should not just
> implement a simple
> authentication for your server. It's really easy if
> you do not have
> many users. Then you get rid of the IP-based
> control.
> Look here :
>
http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html
> and
> <Location />
> AuthType Basic (or Digest)
> AuthName "pirates be gone"
> AuthUserFile /web/users
> Require valid user
> </Location>
> and look up htpasswd to create the users.
>
> -- next, about what you are asking above --
>
> I think you have the reasoning almost right, but not
> 100%.
> When your httpd server receives the request, it
> knows only from which IP
> it is coming, it doesn't know any name (yet).
> When it encounters your "Allow from (domain)"
> line(s), it will try a DNS
> reverse lookup with the IP, to check if this IP
> corresponds to any of
> the domains given.
> This reverse DNS lookup however will (at best) give
> back the name given
> to this IP address by the dynamic address allocation
> system of your
> provider, e.g. something like
> "tip2345.dialup-timbuctu.myisp.net".
> This will not match the domain in the Allow
> directive, thus will be
> rejected. (Or worse, your ISP does not do reverse IP
> registration, and
> the request will return "NXdomain", and it will
> still not match in Apache).
>
> Not recommended solution :
> If it's not very critical, and you are quite sure
> that your server is
> well-configured, and you notice that the DNS name
> your ISP is giving you
> always ends in the same thing (like
> "dialup-timbuctu.myisp.net"), you
> could always put a directive "Allow from
> dialup-timbuctu.myisp.net", but
> understand what it does first, and don't tell anyone
> I told you to do
> that. It basically restricts the IPs allowed to
> access your server from
> several million to several tens of thousands.
> So don't do this at work.
> And forget I even mentioned that.
>
> Better :
> If you only need to do this occasionally, and have
> full control over the
> server, then find out your current IP address and
> replace your "Allow
> from (name)" by "Allow from (ip-address)" and
> restart Apache. You'll
> have to redo this each time your IP changes.
>
> If you do need this more often and find the above a
> pain, but still can
> restart your server whenever you want, then the
> simplest way may be a
> small script which will find out your IP address, go
> modify the Allow
> line above in httpd.conf, and restart your server.
> Then make this an
> icon on your desktop, so you can just click on it.
> Perl is your friend for things like that.
>
> If it's more permanent, then there might be another
> way, if you have a
> DNS domain at which you can ask for changes :
> It is possible to register a name in your own
> domain, and tell the DNS
> server to go look up the dyndns.org name that you
> registered to get the
> current IP address (*). Then your own domain's DNS
> server can answer
> reverse DNS queries (and you'll have to make sure
> that your httpd server
> is asking it first).
> Then instead of saying "Allow from xyz.dyndns.org",
> you would say "Allow
> from xyz.mydomain.com".
> If your httpd server is at work, buy a beer to the
> DNS guy.
> Of course, you will still have to make sure that the
> dyndns IP
> registration is kept current when your real IP
> changes, but I suppose
> you already do that.
>
> And finally, if you're really adventurous, you could
> write a mod_perl
> add-on module for Apache (as a PerlAccessHandler),
> that will do all this
> dynamically for you each time you connect. Then
> maybe the DNS guy will
> buy you a beer, because he could use it too.
> But maybe go check the CPAN first, someone else may
> have preceded you.
>
> There might be smarter ways to do this, and I'm sure
> other people have
> better ideas. But maybe then, you should tell on
> which platform you
> are, with which version of Apache.
>
> André
>
> (*) essentially, you are telling your own DNS server
> that
> "xyz.mycompany.com" is an alias for
> "xyz.dyndns.org".
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest:
> users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail:
> users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|