Re: access control for dynamic hosts (vote?)

2016-03-06 Thread Mario Brandt 
+1

On 6 March 2016 at 14:12, Fabien  wrote:
>
>> Attached is a patch against the sources, including a documentation, which
>> use the syntax "Require forward-dns foo.apache.org".
>
>
> Here is a v2 which adds a missing "/" in the XML documentation.
>
> --
> Fabien.

Re: access control for dynamic hosts (vote?)

2016-03-06 Thread Fabien 


Attached is a patch against the sources, including a documentation, which use 
the syntax "Require forward-dns foo.apache.org".


Here is a v2 which adds a missing "/" in the XML documentation.

--
Fabien.Index: docs/log-message-tags/next-number
===
--- docs/log-message-tags/next-number	(revision 1733791)
+++ docs/log-message-tags/next-number	(working copy)
@@ -1 +1 @@
-3354
+3357
Index: docs/manual/mod/mod_authz_host.xml
===
--- docs/manual/mod/mod_authz_host.xml	(revision 1733791)
+++ docs/manual/mod/mod_authz_host.xml	(working copy)
@@ -58,7 +58,8 @@
 Apache's Require
 directive is used during the authorization phase to ensure that a user is allowed or
 denied access to a resource.  mod_authz_host extends the
-authorization types with ip, host and local.
+authorization types with ip, host,
+forward-dns and local.
 Other authorization types may also be
 used but may require that additional authorization modules be loaded.
 
@@ -157,6 +158,29 @@
 
 
 
+Require forward-dns
+
+The forward-dns provider allows access to the server
+to be controlled based on simple host names.  When
+Require forward-dns host-name is specified,
+all IP addresses corresponding to host-name
+are allowed access.
+
+In contrast to the host provider, this provider does not
+rely on reverse DNS lookups: it simply queries the DNS for the host name
+and allows a client if its IP matches.  As a consequence, it will only
+work with host names, not domain names.  However, as the reverse DNS is
+not used, it will work with clients which use a dynamic DNS service.
+
+
+Require forward-dns bla.example.org
+
+
+A client the IP of which is resolved from the name
+bla.example.org will be granted access.
+
+
+
 Require local
 
 The local provider allows access to the server if any
Index: modules/aaa/mod_authz_host.c
===
--- modules/aaa/mod_authz_host.c	(revision 1733791)
+++ modules/aaa/mod_authz_host.c	(working copy)
@@ -216,6 +216,71 @@
 return AUTHZ_DENIED;
 }
 
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+const char *require_line,
+const void *parsed_require_line)
+{
+const char *err = NULL;
+const ap_expr_info_t *expr = parsed_require_line;
+const char *require, *t;
+char *w;
+
+/* the require line is an expression, which is evaluated now. */
+require = ap_expr_str_exec(r, expr, );
+if (err) {
+  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+"Can't evaluate require expression: %s", err);
+  return AUTHZ_DENIED;
+}
+
+/* tokenize expected list of names */
+t = require;
+while ((w = ap_getword_conf(r->pool, )) && w[0]) {
+
+apr_sockaddr_t *sa;
+apr_status_t rv;
+char *hash_ptr;
+
+/* stop on apache configuration file comments */
+if ((hash_ptr = ap_strchr(w, '#'))) {
+if (hash_ptr == w) {
+break;
+}
+*hash_ptr = '\0';
+}
+
+/* does the client ip match one of the names? */
+rv = apr_sockaddr_info_get(, w, APR_UNSPEC, 0, 0, r->pool);
+if (rv == APR_SUCCESS) {
+
+while (sa) {
+int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+  "access check for %s as '%s': %s",
+  r->useragent_ip, w, match? "yes": "no");
+if (match) {
+return AUTHZ_GRANTED;
+}
+
+sa = sa->next;
+}
+}
+else {
+ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+  "No sockaddr info for \"%s\"", w);
+}
+
+/* stop processing, we are in a comment */
+if (hash_ptr) {
+break;
+}
+}
+
+return AUTHZ_DENIED;
+}
+
 static authz_status local_check_authorization(request_rec *r,
   const char *require_line,
   const void *parsed_require_line)
@@ -265,6 +330,12 @@
 _parse_config,
 };
 
+static const authz_provider authz_forward_dns_provider =
+{
+_dns_check_authorization,
+_parse_config,
+};
+
 static const authz_provider authz_local_provider =
 {
 _check_authorization,
@@ -309,6 +380,10 @@
 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
   AUTHZ_PROVIDER_VERSION,
   _host_provider, AP_AUTH_INTERNAL_PER_CONF);
+ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns",
+

Re: access control for dynamic hosts (vote?)

2016-03-06 Thread Yann Ylavic 
On Sun, Mar 6, 2016 at 8:13 AM, Fabien  wrote:
>
> I'm proposing to commit the patch if I'm given a go.
>
> Vote?

LGTM, +1

Regards,
Yann.

Re: Add ?? mod_prox_http2 for NetWare build - Take 2

2016-03-06 Thread Stefan Eissing 
Thanks Norm, will look at it tomorrow. 

> Am 05.03.2016 um 23:54 schrieb NormW :
> 
> G/M,
> This supercedes Take 1 due to additional exports now needed by 
> mod_proxy_http2 from mod_proxy and mod_http2.
> Same caveat applies re tweaks to mod_proxy_http2 source files.
> Norm
> 
>