Attached is a patch against the sources, including a documentation, which use
the syntax "Require forward-dns foo.apache.org".
Here is a v2 which adds a missing "/" in the XML documentation.
--
Fabien.Index: docs/log-message-tags/next-number
===
--- docs/log-message-tags/next-number (revision 1733791)
+++ docs/log-message-tags/next-number (working copy)
@@ -1 +1 @@
-3354
+3357
Index: docs/manual/mod/mod_authz_host.xml
===
--- docs/manual/mod/mod_authz_host.xml (revision 1733791)
+++ docs/manual/mod/mod_authz_host.xml (working copy)
@@ -58,7 +58,8 @@
Apache's Require
directive is used during the authorization phase to ensure that a user is allowed or
denied access to a resource. mod_authz_host extends the
-authorization types with ip, host and local.
+authorization types with ip, host,
+forward-dns and local.
Other authorization types may also be
used but may require that additional authorization modules be loaded.
@@ -157,6 +158,29 @@
+Require forward-dns
+
+The forward-dns provider allows access to the server
+to be controlled based on simple host names. When
+Require forward-dns host-name is specified,
+all IP addresses corresponding to host-name
+are allowed access.
+
+In contrast to the host provider, this provider does not
+rely on reverse DNS lookups: it simply queries the DNS for the host name
+and allows a client if its IP matches. As a consequence, it will only
+work with host names, not domain names. However, as the reverse DNS is
+not used, it will work with clients which use a dynamic DNS service.
+
+
+Require forward-dns bla.example.org
+
+
+A client the IP of which is resolved from the name
+bla.example.org will be granted access.
+
+
+
Require local
The local provider allows access to the server if any
Index: modules/aaa/mod_authz_host.c
===
--- modules/aaa/mod_authz_host.c (revision 1733791)
+++ modules/aaa/mod_authz_host.c (working copy)
@@ -216,6 +216,71 @@
return AUTHZ_DENIED;
}
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+const char *require_line,
+const void *parsed_require_line)
+{
+const char *err = NULL;
+const ap_expr_info_t *expr = parsed_require_line;
+const char *require, *t;
+char *w;
+
+/* the require line is an expression, which is evaluated now. */
+require = ap_expr_str_exec(r, expr, );
+if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+"Can't evaluate require expression: %s", err);
+ return AUTHZ_DENIED;
+}
+
+/* tokenize expected list of names */
+t = require;
+while ((w = ap_getword_conf(r->pool, )) && w[0]) {
+
+apr_sockaddr_t *sa;
+apr_status_t rv;
+char *hash_ptr;
+
+/* stop on apache configuration file comments */
+if ((hash_ptr = ap_strchr(w, '#'))) {
+if (hash_ptr == w) {
+break;
+}
+*hash_ptr = '\0';
+}
+
+/* does the client ip match one of the names? */
+rv = apr_sockaddr_info_get(, w, APR_UNSPEC, 0, 0, r->pool);
+if (rv == APR_SUCCESS) {
+
+while (sa) {
+int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+ "access check for %s as '%s': %s",
+ r->useragent_ip, w, match? "yes": "no");
+if (match) {
+return AUTHZ_GRANTED;
+}
+
+sa = sa->next;
+}
+}
+else {
+ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+ "No sockaddr info for \"%s\"", w);
+}
+
+/* stop processing, we are in a comment */
+if (hash_ptr) {
+break;
+}
+}
+
+return AUTHZ_DENIED;
+}
+
static authz_status local_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
@@ -265,6 +330,12 @@
_parse_config,
};
+static const authz_provider authz_forward_dns_provider =
+{
+_dns_check_authorization,
+_parse_config,
+};
+
static const authz_provider authz_local_provider =
{
_check_authorization,
@@ -309,6 +380,10 @@
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
AUTHZ_PROVIDER_VERSION,
_host_provider, AP_AUTH_INTERNAL_PER_CONF);
+ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns",
+