Michael Stewart (vericgar) wrote:

Ross Anderson wrote:
I've tried setting up access restrictions based on name resolution. From
what I've read in the apache.org docs all is configured correctly. If I
use an ip address in the allow statement it works as expected. However
if I use a FQDN apache forbids access. The logs show the client ip that
matches the FQDN. Does anyone have suggestions on where to proceed in
the this troubleshooting process.

Thanks
Ross

<VirtualHost *:80>
  DocumentRoot /var/www/phpmyadmin
  ServerName mysql.dwrnet.net
  ErrorLog /var/www/phpmyadmin/log/error_log
  CustomLog /var/www/phpmyadmin/log/access_log combined
  <Directory />
      AllowOverride None
      Order Deny,Allow
      Deny from all
      Allow from host.example.com
  </Directory>
</VirtualHost>

net-www/apache-2.0.54-r31  +apache2 -debug -doc -ldap -mpm-leader
-mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker -no-suexec
(-selinux) +ssl -static-modules -threads 5,488 kB

[Sun Dec 04 13:08:59 2005] [error] [client xx.xx.xx.xx] client denied by
server configuration: /var/www/phpmyadmin/

Make sure that Apache is looking up hostnames (the default configuration
does not do this as it slows things down):
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups On

Make sure the PTR record for the IP address(es) is the name you use in
the configuration.

Make sure DNS works correctly on the machine (I don't know why it
wouldn't, and you would have run into problems much earlier, but perhaps
something got changed)

I'd recommend using user authentication (google htpasswd for
information) rather then IP/DNS rules.

I tried enabling HostnameLookups in the virtual domain as a test without sucess. I also will post man file snipit concerning hostname lookup. DNS is clearly working correctly. htpasswd allows for attempts/use of stolen info. I already use username/pass on the php section itself. I wish to stop diggers/scanners from attempting.


A (partial) domain-name


         Example:

   | Allow from apache.org
   Allow from .net example.edu |

   Hosts whose names match, or end in, this string are allowed access.
   Only complete components are matched, so the above example will
   match |foo.apache.org| but it will not match |fooapache.org|. This
   configuration will cause Apache to perform a double reverse DNS
   lookup on the client IP address, regardless of the setting of the
   |HostnameLookups
   <http://httpd.apache.org/docs/2.0/mod/core.html#hostnamelookups>|
   directive.



--
gentoo-user@gentoo.org mailing list

Reply via email to