Re: [VOTE] access control for dynamic hosts

Hello Yann, I guess this question is for me, not the doc :) Yep! [...] So, finally, mentioning that *any* ip/host-based authz should be combined with other authz/authn (SSL certificates, credentials schemes, ...) for stronger requirements may be the way to go. I agree that combining

Re: [VOTE] access control for dynamic hosts

Hi Fabien, On Wed, Mar 23, 2016 at 6:12 PM, wrote: > > How about adding something like: > > From a security perspective, getting access to a protected page is somehow > easier with "forward-dns" because the attacker needs only to control the DNS > for the domain, while they

Re: [VOTE] access control for dynamic hosts

Hello Yann, ylavic: I would have liked more (doc) emphasis on the lower security of "Require forward-dns" vs "Require host"'s double DNS lookup How about adding something like: From a security perspective, getting access to a protected page is somehow easier with "forward-dns" because

Re: [VOTE] access control for dynamic hosts

Currently 2 votes: +1: Mario Brandt, Yann Ylavic I think you can go ahead, trunk is in CTR (Commit Then Review) mode. I just committed the changes as r1734412: https://svn.apache.org/viewvc?view=revision=1734412 -- Fabien.

Re: [VOTE] access control for dynamic hosts

Hello Yann, +1: Mario Brandt, Yann Ylavic I think you can go ahead, trunk is in CTR (Commit Then Review) mode. Ok, I'll do a last check and commit soon. -- Fabien.

Re: [VOTE] access control for dynamic hosts

Hi Fabien, On Wed, Mar 9, 2016 at 5:44 PM, wrote: > > Currently 2 votes: > > +1: Mario Brandt, Yann Ylavic I think you can go ahead, trunk is in CTR (Commit Then Review) mode. You may have more feedbacks when done... Regards, Yann.

Re: [VOTE] access control for dynamic hosts

I'm proposing to commit the patch if I'm given a go. Currently 2 votes: +1: Mario Brandt, Yann Ylavic -- Fabien.

Re: access control for dynamic hosts (vote?)

+1 On 6 March 2016 at 14:12, Fabien wrote: > >> Attached is a patch against the sources, including a documentation, which >> use the syntax "Require forward-dns foo.apache.org". > > > Here is a v2 which adds a missing "/" in the XML documentation. > > -- > Fabien.

Re: access control for dynamic hosts (vote?)

Attached is a patch against the sources, including a documentation, which use the syntax "Require forward-dns foo.apache.org". Here is a v2 which adds a missing "/" in the XML documentation. -- Fabien.Index: docs/log-message-tags/next-number

Re: access control for dynamic hosts (vote?)

On Sun, Mar 6, 2016 at 8:13 AM, Fabien wrote: > > I'm proposing to commit the patch if I'm given a go. > > Vote? LGTM, +1 Regards, Yann.

Re: access control for dynamic hosts (vote?)

Hello Apache developers, Unfortunately I think you need to pick an awkward name here so it cannot be confused/misused. Like "forward-dns" Attached is a patch against the sources, including a documentation, which use the syntax "Require forward-dns foo.apache.org". The second file is the

RE: access control for dynamic hosts

Hello Rick, Forward doesn’t mean dynamic, however, and using one particular solution like that is misleading, IMO. Using “forward-dns” makes more sense to me. Yep, with such a name what it does is pretty clear. That said, how would you intend to handle multiple A records for the same

RE: access control for dynamic hosts

per name? At a minimum, I think that needs to be clearly documented. Rick Houser From: Yehuda Katz [mailto:yeh...@ymkatz.net] Sent: Tuesday, March 01, 2016 10:09 AM To: dev@httpd.apache.org Subject: Re: access control for dynamic hosts dyndns is a company name, but it seems to be synonymous

Re: access control for dynamic hosts

dyndns is a company name, but it seems to be synonymous for a lot of systems with dynamic-dns. That would make a recognizable option for a lot of people. - Y On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener wrote: > On Tue, Mar 1, 2016 at 9:53 AM, wrote: >

Re: access control for dynamic hosts

On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener wrote: > On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic wrote: >> How about "Require dns" (and mod_authz_dns) for the name? > > I think it is reasonable to extend authz_host to disable the reverse > check when

Re: access control for dynamic hosts

On Tue, Mar 1, 2016 at 4:01 PM, Yann Ylavic wrote: > On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener wrote: >> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic wrote: >>> How about "Require dns" (and mod_authz_dns) for the name? >> >> I

Re: access control for dynamic hosts

Hello Yann, [...] Looks good to me. It would have to be documented though, especially the difference with "Require host" and maybe their complementarity (wrt security). Sure, it needs a documentation, obviously. I will not commit anything without a doc. How about "Require dns" (and

Re: access control for dynamic hosts

On Tue, Mar 1, 2016 at 9:53 AM, wrote: > Maybe "Require ip" could be extended instead of using a new name: > > "Require ip myserver.apache.org" Unfortunately I think you need to pick an awkward name here so it cannot be confused/misused. Like "forward-dns" -- Eric

Re: access control for dynamic hosts

How about "Require dns" (and mod_authz_dns) for the name? I think it is reasonable to extend authz_host to disable the reverse check when requested (via some new first arg to require) Note that the inner working logic is different, but this is an implementation detail. What syntax would

Re: access control for dynamic hosts

On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic wrote: > How about "Require dns" (and mod_authz_dns) for the name? I think it is reasonable to extend authz_host to disable the reverse check when requested (via some new first arg to require)

Re: access control for dynamic hosts

This would be a god send. I personally use a lot of dynamic hosts from my ISP, in that I’m unable to control the rDNS records of the IPs I’m assigned. Having an option for checks going ‘forward’ only would be terrific. — Jacob Perkins Product Owner cPanel Inc. jacob.perk...@cpanel.net

Re: access control for dynamic hosts

Hi Fabien, On Thu, Jan 14, 2016 at 9:38 AM, Fabien wrote: > > Would anyone have an opinion, please? > > Although I can just commit the proposed changes, a formal go would be nice. Looks good to me. It would have to be documented though, especially the difference with

Re: access control for dynamic hosts

This feature makes sense because it allows to allow a full domain, say "apache.org", any host of which the inverse dns resolves to the domain can then be allowed. But this also means that if the reverse dns is not controlled, say with the dynamic dns and a moving ip, ip control does not work,

Re: access control for dynamic hosts

Am 29.02.2016 um 07:16 schrieb fab...@apache.org: Maybe the reverse dns is working on your test address? I checked it and yes it does work that way. I never knew it did. Indeed. This feature makes sense because it allows to allow a full domain, say "apache.org", any host of which the

Re: access control for dynamic hosts

Hello, Maybe the reverse dns is working on your test address? I checked it and yes it does work that way. I never knew it did. Indeed. This feature makes sense because it allows to allow a full domain, say "apache.org", any host of which the inverse dns resolves to the domain can then

Re: access control for dynamic hosts

Hi, On 14 January 2016 at 22:36, Fabien wrote: > > Maybe the reverse dns is working on your test address? I checked it and yes it does work that way. I never knew it did. Cheers Mario

Re: access control for dynamic hosts

APACHE development mailing list <dev@httpd.apache.org> Subject: access control for dynamic hosts Hello folks, I have a simple access control use case for which I have not found a clean solution. I want to control access to a service based on the name of the client, however the client is a

Re: access control for dynamic hosts

Hi Fabien, doesn't it work using Require host with a dyndns name? At least my test was successful. Cheers Mario On 20 December 2015 at 09:44, Fabien wrote: > > Hello folks, > > I have a simple access control use case for which I have not found a clean > solution. > > I want

Re: access control for dynamic hosts

Hello Mario, doesn't it work using Require host with a dyndns name? From the documentation about "Require host ...": "It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP

Re: access control for dynamic hosts

Hello folks, I would like something like "Require XXX foo.dynamic-dns.somewhere" (where XXX could be "name", "hostname", "dynamic", ...) which would query the NS when the HTTP request is received and check that the corresponding ip is the client IP. I'm planing to develop a small module

access control for dynamic hosts

Hello folks, I have a simple access control use case for which I have not found a clean solution. I want to control access to a service based on the name of the client, however the client is a dynamic host, which implies that: (1) I do not have any control about the reverse DNS =>