coar 97/04/26 05:21:15
Modified: htdocs/manual/misc FAQ.html
Log:
Added Q&A concerning access restriction by host/domain name,
and cleaned up a couple of nit.
Revision Changes Path
1.44 +68 -18 apache/htdocs/manual/misc/FAQ.html
Index: FAQ.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/misc/FAQ.html,v
retrieving revision 1.43
retrieving revision 1.44
diff -C3 -r1.43 -r1.44
*** FAQ.html 1997/04/26 06:58:39 1.43
--- FAQ.html 1997/04/26 12:21:14 1.44
***************
*** 8,14 ****
<!--#include virtual="header.html" -->
<H1>Apache Server Frequently Asked Questions</H1>
<P>
! $Revision: 1.43 $ ($Date: 1997/04/26 06:58:39 $)
</P>
<P>
The latest version of this FAQ is always available from the main
--- 8,14 ----
<!--#include virtual="header.html" -->
<H1>Apache Server Frequently Asked Questions</H1>
<P>
! $Revision: 1.44 $ ($Date: 1997/04/26 12:21:14 $)
</P>
<P>
The latest version of this FAQ is always available from the main
***************
*** 25,31 ****
<!-- on his own system, which may not be configured for -->
<!-- multiviews. Leave off the ".html" extension for absolute -->
<!-- links to sites which are known to run multiviews (e.g., -->
! <!-- apache.or or apacheweek.com). -->
<!-- - When adding items, make sure they're put in the right place -->
<!-- - verify that the numbering matches up. -->
<!-- - Don't forget to include an HR tag after the last /P tag -->
--- 25,31 ----
<!-- on his own system, which may not be configured for -->
<!-- multiviews. Leave off the ".html" extension for absolute -->
<!-- links to sites which are known to run multiviews (e.g., -->
! <!-- apache.org or apacheweek.com). -->
<!-- - When adding items, make sure they're put in the right place -->
<!-- - verify that the numbering matches up. -->
<!-- - Don't forget to include an HR tag after the last /P tag -->
***************
*** 42,49 ****
<!-- - can't bind to port 80 -->
<!-- - permission denied -->
<!-- - address already in use -->
- <!-- - access control based on DNS name really needs MAXIMUM_DNS -->
- <!-- and double-check that rDNS resolves to name expected -->
<!-- - mod_auth & passwd lines "user:pw:.*" - ++1st colon onward is -->
<!-- treated as pw, not just ++1st to --2nd. -->
<!-- - SSL: -->
--- 42,47 ----
***************
*** 127,133 ****
<LI><A HREF="#cookies1">Why does Apache send a cookie on every
response?</A>
</LI>
<LI><A HREF="#cookies2">Why don't my cookies work, I even compiled in
! mod_cookies?</A>
</LI>
<LI><A HREF="#jdk1-and-http1.1">Why do my Java app[let]s give me plain
text
when I request an URL from an Apache server?</A>
--- 125,131 ----
<LI><A HREF="#cookies1">Why does Apache send a cookie on every
response?</A>
</LI>
<LI><A HREF="#cookies2">Why don't my cookies work, I even compiled in
! <SAMP>mod_cookies</SAMP>?</A>
</LI>
<LI><A HREF="#jdk1-and-http1.1">Why do my Java app[let]s give me plain
text
when I request an URL from an Apache server?</A>
***************
*** 150,155 ****
--- 148,156 ----
<LI><A HREF="#wheres-the-dump">The errorlog says Apache dumped core,
but where's the dump file?</A>
</LI>
+ <LI><A HREF="#dnsauth">Why isn't restricting access by host or domain
name
+ working correctly?</A>
+ </LI>
<LI><A HREF="#SSL-i">Why doesn't Apache include SSL?</A>
</LI>
</OL>
***************
*** 254,260 ****
<P>
The Apache project's web site includes a page with a partial list of
<A
! HREF="http://www.apache.org/info/apache_users.html";
>sites running Apache</A>.
</P>
<HR>
--- 255,261 ----
<P>
The Apache project's web site includes a page with a partial list of
<A
! HREF="http://www.apache.org/info/apache_users";
>sites running Apache</A>.
</P>
<HR>
***************
*** 286,292 ****
be swamped by a flood of trivial questions that can be resolved elsewhere.
Bug reports and suggestions should be sent <EM>via</EM>
<A
! HREF="http://www.apache.org/bug_report.html";
>the bug report page</A>.
Other questions should be directed to the
<A
--- 287,293 ----
be swamped by a flood of trivial questions that can be resolved elsewhere.
Bug reports and suggestions should be sent <EM>via</EM>
<A
! HREF="http://www.apache.org/bug_report";
>the bug report page</A>.
Other questions should be directed to the
<A
***************
*** 872,880 ****
module.
This module was distributed with Apache prior to 1.2.
This module may help track users, and uses cookies to do this. If
! you are not using the data generated by mod_cookies, do not compile
! it into Apache. Note that in 1.2 this module was renamed to the
! more correct name
<A
HREF="../mod/mod_usertrack.html"
><SAMP>mod_usertrack</SAMP></A>,
--- 873,881 ----
module.
This module was distributed with Apache prior to 1.2.
This module may help track users, and uses cookies to do this. If
! you are not using the data generated by <SAMP>mod_cookies</SAMP>, do
! not compile it into Apache. Note that in 1.2 this module was renamed
! to the more correct name
<A
HREF="../mod/mod_usertrack.html"
><SAMP>mod_usertrack</SAMP></A>,
***************
*** 888,903 ****
<HR>
</LI>
<LI><A NAME="cookies2">
! <STRONG>Why don't my cookies work, I even compiled in mod_cookies?
</STRONG>
</A>
<P>
! Firstly, you do <EM>not</EM> need to compile in mod_cookies in order
! for your scripts to work (see the <A HREF="#cookies1">previous
question</A>
! for more about mod_cookies). Apache passes on your Set-Cookie header
! fine, with or without this module. If cookies do not work it will
! be because your script does not work properly or your browser does
! not use cookies or is not set-up to accept them.
</P>
<HR>
</LI>
--- 889,909 ----
<HR>
</LI>
<LI><A NAME="cookies2">
! <STRONG>Why don't my cookies work, I even compiled in
! <SAMP>mod_cookies</SAMP>?
</STRONG>
</A>
<P>
! Firstly, you do <EM>not</EM> need to compile in
! <SAMP>mod_cookies</SAMP> in order for your scripts to work (see the
! <A
! HREF="#cookies1"
! >previous question</A>
! for more about <SAMP>mod_cookies</SAMP>). Apache passes on your
! <SAMP>Set-Cookie</SAMP> header fine, with or without this module. If
! cookies do not work it will be because your script does not work
! properly or your browser does not use cookies or is not set-up to
! accept them.
</P>
<HR>
</LI>
***************
*** 1089,1094 ****
--- 1095,1144 ----
</P>
<HR>
</LI>
+ <LI><A NAME="dnsauth">
+ <STRONG>Why isn't restricting access by host or domain name
+ working correctly?</STRONG>
+ </A>
+ <P>
+ Two of the most common causes of this are:
+ </P>
+ <OL>
+ <LI><STRONG>An error, inconsistency, or unexpected mapping in the DNS
+ registration</STRONG>
+ <BR>
+ This happens frequently: your configuration restricts access to
+ <SAMP>Host.FooBar.Com</SAMP>, but you can't get in from that host.
+ The usual reason for this is that <SAMP>Host.FooBar.Com</SAMP> is
+ actually an alias for another name, and when Apache performs the
+ address-to-name lookup it's getting the <EM>real</EM> name, not
+ <SAMP>Host.FooBar.Com</SAMP>. You can verify this by checking the
+ reverse lookup yourself. The easiest way to work around it is to
+ specify the correct host name in your configuration.
+ </LI>
+ <LI><STRONG>Inadequate checking and verification in your
+ configuration of Apache</STRONG>
+ <BR>
+ If you intend to perform access checking and restriction based upon
+ the client's host or domain name, you really need to configure
+ Apache to double-check the origin information it's supplied. You do
+ this by adding the <SAMP>-DMAXIMUM_DNS</SAMP> clause to the
+ <SAMP>EXTRA_CFLAGS</SAMP> definition in your
+ <SAMP>Configuration</SAMP> file. For example:
+ <DL>
+ <DD><CODE>EXTRA_CFLAGS=-DMAXIMUM_DNS</CODE>
+ </DD>
+ </DL>
+ <P>
+ This will cause Apache to be very paranoid about making sure a
+ particular host address is <EM>really</EM> assigned to the name it
+ claims to be. Note that this <EM>can</EM> incur a significant
+ performance penalty, however, because of all the name resolution
+ requests being sent to a nameserver.
+ </P>
+ </LI>
+ </OL>
+ <HR>
+ </LI>
<LI><A NAME="SSL-i">
<STRONG>Why doesn't Apache include SSL?</STRONG>
</A>
***************
*** 1097,1103 ****
governments have restrictions upon the import, export, and use of
encryption technology. If Apache included SSL in the base package,
its distribution would involve all sorts of legal and bureaucratic
! issues., and it would no longer be freely available. Also, some of
the technology required to talk to current clients using SSL is
patented by <A HREF="http://www.rsa.com/";>RSA Data Security</A>,
who restricts its use without a license.
--- 1147,1153 ----
governments have restrictions upon the import, export, and use of
encryption technology. If Apache included SSL in the base package,
its distribution would involve all sorts of legal and bureaucratic
! issues, and it would no longer be freely available. Also, some of
the technology required to talk to current clients using SSL is
patented by <A HREF="http://www.rsa.com/";>RSA Data Security</A>,
who restricts its use without a license.
