Michael Stewart (vericgar) wrote:
Ross Anderson wrote:
I've tried setting up access restrictions based on name resolution. From
what I've read in the apache.org docs all is configured correctly. If I
use an ip address in the allow statement it works as expected. However
if I use a FQDN apache forbids access. The logs show the client ip that
matches the FQDN. Does anyone have suggestions on where to proceed in
the this troubleshooting process.
Thanks
Ross
<VirtualHost *:80>
DocumentRoot /var/www/phpmyadmin
ServerName mysql.dwrnet.net
ErrorLog /var/www/phpmyadmin/log/error_log
CustomLog /var/www/phpmyadmin/log/access_log combined
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
Allow from host.example.com
</Directory>
</VirtualHost>
net-www/apache-2.0.54-r31 +apache2 -debug -doc -ldap -mpm-leader
-mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker -no-suexec
(-selinux) +ssl -static-modules -threads 5,488 kB
[Sun Dec 04 13:08:59 2005] [error] [client xx.xx.xx.xx] client denied by
server configuration: /var/www/phpmyadmin/
Make sure that Apache is looking up hostnames (the default configuration
does not do this as it slows things down):
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups On
Make sure the PTR record for the IP address(es) is the name you use in
the configuration.
Make sure DNS works correctly on the machine (I don't know why it
wouldn't, and you would have run into problems much earlier, but perhaps
something got changed)
I'd recommend using user authentication (google htpasswd for
information) rather then IP/DNS rules.
I tried enabling HostnameLookups in the virtual domain as a test without
sucess. I also will post man file snipit concerning hostname lookup.
DNS is clearly working correctly. htpasswd allows for attempts/use of
stolen info. I already use username/pass on the php section itself. I
wish to stop diggers/scanners from attempting.
A (partial) domain-name
Example:
| Allow from apache.org
Allow from .net example.edu |
Hosts whose names match, or end in, this string are allowed access.
Only complete components are matched, so the above example will
match |foo.apache.org| but it will not match |fooapache.org|. This
configuration will cause Apache to perform a double reverse DNS
lookup on the client IP address, regardless of the setting of the
|HostnameLookups
<http://httpd.apache.org/docs/2.0/mod/core.html#hostnamelookups>|
directive.
--
gentoo-user@gentoo.org mailing list
