Hello Yann,
I guess this question is for me, not the doc :)
Yep!
[...] So, finally, mentioning that *any* ip/host-based authz should be
combined with other authz/authn (SSL certificates, credentials schemes,
...) for stronger requirements may be the way to go.
I agree that combining
Hi Fabien,
On Wed, Mar 23, 2016 at 6:12 PM, wrote:
>
> How about adding something like:
>
> From a security perspective, getting access to a protected page is somehow
> easier with "forward-dns" because the attacker needs only to control the DNS
> for the domain, while they
Hello Yann,
ylavic: I would have liked more (doc) emphasis on the lower security of
"Require forward-dns" vs "Require host"'s double DNS lookup
How about adding something like:
From a security perspective, getting access to a protected page is somehow
easier with "forward-dns" because
Currently 2 votes:
+1: Mario Brandt, Yann Ylavic
I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
I just committed the changes as r1734412:
https://svn.apache.org/viewvc?view=revision=1734412
--
Fabien.
Hello Yann,
+1: Mario Brandt, Yann Ylavic
I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
Ok, I'll do a last check and commit soon.
--
Fabien.
Hi Fabien,
On Wed, Mar 9, 2016 at 5:44 PM, wrote:
>
> Currently 2 votes:
>
> +1: Mario Brandt, Yann Ylavic
I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
You may have more feedbacks when done...
Regards,
Yann.
I'm proposing to commit the patch if I'm given a go.
Currently 2 votes:
+1: Mario Brandt, Yann Ylavic
--
Fabien.
+1
On 6 March 2016 at 14:12, Fabien wrote:
>
>> Attached is a patch against the sources, including a documentation, which
>> use the syntax "Require forward-dns foo.apache.org".
>
>
> Here is a v2 which adds a missing "/" in the XML documentation.
>
> --
> Fabien.
Attached is a patch against the sources, including a documentation, which use
the syntax "Require forward-dns foo.apache.org".
Here is a v2 which adds a missing "/" in the XML documentation.
--
Fabien.Index: docs/log-message-tags/next-number
On Sun, Mar 6, 2016 at 8:13 AM, Fabien wrote:
>
> I'm proposing to commit the patch if I'm given a go.
>
> Vote?
LGTM, +1
Regards,
Yann.
Hello Apache developers,
Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused. Like "forward-dns"
Attached is a patch against the sources, including a documentation,
which use the syntax "Require forward-dns foo.apache.org".
The second file is the
Hello Rick,
Forward doesn’t mean dynamic, however, and using one particular solution
like that is misleading, IMO. Using “forward-dns” makes more sense to
me.
Yep, with such a name what it does is pretty clear.
That said, how would you intend to handle multiple A records for the
same
per name?
At a minimum, I think that needs to be clearly documented.
Rick Houser
From: Yehuda Katz [mailto:yeh...@ymkatz.net]
Sent: Tuesday, March 01, 2016 10:09 AM
To: dev@httpd.apache.org
Subject: Re: access control for dynamic hosts
dyndns is a company name, but it seems to be synonymous
dyndns is a company name, but it seems to be synonymous for a lot of
systems with dynamic-dns.
That would make a recognizable option for a lot of people.
- Y
On Tue, Mar 1, 2016 at 10:00 AM, Eric Covener wrote:
> On Tue, Mar 1, 2016 at 9:53 AM, wrote:
>
On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener wrote:
> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic wrote:
>> How about "Require dns" (and mod_authz_dns) for the name?
>
> I think it is reasonable to extend authz_host to disable the reverse
> check when
On Tue, Mar 1, 2016 at 4:01 PM, Yann Ylavic wrote:
> On Tue, Mar 1, 2016 at 3:31 PM, Eric Covener wrote:
>> On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic wrote:
>>> How about "Require dns" (and mod_authz_dns) for the name?
>>
>> I
Hello Yann,
[...]
Looks good to me.
It would have to be documented though, especially the difference with
"Require host" and maybe their complementarity (wrt security).
Sure, it needs a documentation, obviously. I will not commit anything
without a doc.
How about "Require dns" (and
On Tue, Mar 1, 2016 at 9:53 AM, wrote:
> Maybe "Require ip" could be extended instead of using a new name:
>
> "Require ip myserver.apache.org"
Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused. Like "forward-dns"
--
Eric
How about "Require dns" (and mod_authz_dns) for the name?
I think it is reasonable to extend authz_host to disable the reverse
check when requested (via some new first arg to require)
Note that the inner working logic is different, but this is an
implementation detail.
What syntax would
On Tue, Mar 1, 2016 at 8:19 AM, Yann Ylavic wrote:
> How about "Require dns" (and mod_authz_dns) for the name?
I think it is reasonable to extend authz_host to disable the reverse
check when requested (via some new first arg to require)
This would be a god send. I personally use a lot of dynamic hosts from my ISP,
in that I’m unable to control the rDNS records of the IPs I’m assigned. Having
an option for checks going ‘forward’ only would be terrific.
—
Jacob Perkins
Product Owner
cPanel Inc.
jacob.perk...@cpanel.net
Hi Fabien,
On Thu, Jan 14, 2016 at 9:38 AM, Fabien wrote:
>
> Would anyone have an opinion, please?
>
> Although I can just commit the proposed changes, a formal go would be nice.
Looks good to me.
It would have to be documented though, especially the difference with
This feature makes sense because it allows to allow a full domain, say
"apache.org", any host of which the inverse dns resolves to the domain
can then be allowed.
But this also means that if the reverse dns is not controlled, say with
the dynamic dns and a moving ip, ip control does not work,
Am 29.02.2016 um 07:16 schrieb fab...@apache.org:
Maybe the reverse dns is working on your test address?
I checked it and yes it does work that way. I never knew it did.
Indeed.
This feature makes sense because it allows to allow a full domain, say
"apache.org", any host of which the
Hello,
Maybe the reverse dns is working on your test address?
I checked it and yes it does work that way. I never knew it did.
Indeed.
This feature makes sense because it allows to allow a full domain, say
"apache.org", any host of which the inverse dns resolves to the domain can
then
Hi,
On 14 January 2016 at 22:36, Fabien wrote:
>
> Maybe the reverse dns is working on your test address?
I checked it and yes it does work that way. I never knew it did.
Cheers
Mario
APACHE development mailing list <dev@httpd.apache.org>
Subject: access control for dynamic hosts
Hello folks,
I have a simple access control use case for which I have not found a clean
solution.
I want to control access to a service based on the name of the client,
however the client is a
Hi Fabien,
doesn't it work using Require host with a dyndns name? At least my
test was successful.
Cheers
Mario
On 20 December 2015 at 09:44, Fabien wrote:
>
> Hello folks,
>
> I have a simple access control use case for which I have not found a clean
> solution.
>
> I want
Hello Mario,
doesn't it work using Require host with a dyndns name?
From the documentation about "Require host ...":
"It will do a reverse DNS lookup on the IP address to find the associated
hostname, and then do a forward lookup on the hostname to assure that it
matches the original IP
Hello folks,
I would like something like "Require XXX foo.dynamic-dns.somewhere"
(where XXX could be "name", "hostname", "dynamic", ...) which would
query the NS when the HTTP request is received and check that the
corresponding ip is the client IP.
I'm planing to develop a small module
Hello folks,
I have a simple access control use case for which I have not found a
clean solution.
I want to control access to a service based on the name of the client,
however the client is a dynamic host, which implies that:
(1) I do not have any control about the reverse DNS
=>
31 matches
Mail list logo