this might be quite obvious...
I would be fine with this solution:-)
--
Fabien.
ith "forward-dns" because the attacker needs only to control the
DNS for the domain, while they would also need to control the reverse DNS
with "host". Now, if you have important confidential data, they would not
be only protected by host-based authorizations, would they?
--
Fabien.
Hello Yann,
https://svn.apache.org/viewvc?view=revision&revision=1734412
Sounds reasonable, would you add an entry in the STATUS file (at the
root of branches/2.4.x) to start the vote (with your own)?
Ok. I did that as r1735616.
--
Fabien.
feature which does not disrupt much the
code base, just add a function and a new authorization provider.
Now I'm not sure of the update policy on "bug fix" release, maybe adding a
feature is too much, in which case apply the policy and do not backport:-)
--
Fabien.
Currently 2 votes:
+1: Mario Brandt, Yann Ylavic
I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
I just committed the changes as r1734412:
https://svn.apache.org/viewvc?view=revision&revision=1734412
--
Fabien.
Hello Yann,
+1: Mario Brandt, Yann Ylavic
I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
Ok, I'll do a last check and commit soon.
--
Fabien.
I'm proposing to commit the patch if I'm given a go.
Currently 2 votes:
+1: Mario Brandt, Yann Ylavic
--
Fabien.
Attached is a patch against the sources, including a documentation, which use
the syntax "Require forward-dns foo.apache.org".
Here is a v2 which adds a missing "/" in the XML documentation.
--
Fabien.Index: docs/log-message-tags/next-number
===
Hello Apache developers,
Unfortunately I think you need to pick an awkward name here so it
cannot be confused/misused. Like "forward-dns"
Attached is a patch against the sources, including a documentation,
which use the syntax "Require forward-dns foo.apache.org".
The second file is the s
at caching anything, as the actual use case is to deal
with dynamic dns hosts, so with pretty short refresh times. Caching is the
problem of the dns resolver.
--
Fabien.
uire domain" because
it is what it does, then "Require host" would be available... but this is
too late:-)
Maybe "Require ip" could be extended instead of using a new name:
"Require ip myserver.apache.org"
Would query the DNS to get the IP when checking for the authorization.
Not sure that it is a good idea, though.
--
Fabien.
domain.org
???
--
Fabien.
g to have a
way to specify host names *only* which are checked forward *only*.
Require xxx foo.apache.org
# allows ip of "foo.apache.org", just be resolving the name
For use with dyndns services.
--
Fabien.
can
then be allowed.
But this also means that if the reverse dns is not controlled, say with
the dynamic dns and a moving ip, ip control does not work, hence my
proposal for a lesser version which just checks that a client ip is
allowed just by resolving a name.
--
Fabien.
Forbidden
...
So the client was not authorized, but after a reload with a "Require name
NNN" from the submitted module:
sh> netcat 3128
GET http://www.google.fr/ HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 14 Jan 2016 21:30:40 GMT
Server: gws
...
Maybe the reverse dns is working on your test address?
--
Fabien.
Hello Apache devs,
Would anyone have an opinion, please?
Although I can just commit the proposed changes, a formal go would be
nice.
On Sun, 20 Dec 2015, Fabien wrote:
Date: Sun, 20 Dec 2015 09:44:55 +0100 (CET)
From: Fabien
Reply-To: dev@httpd.apache.org
To: APACHE development mailing
name" is the best... name for the authorization
provider, though.
I could append this to mod_authz_host.c & update the documentation if I'm
given a go.
--
Fabien/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTI
le for that, and as it is somehow quite
a basic service it could be a candidate for being added to
"modules/aaa/mod_authz_host.c".
Another approach could be to extend apache expressions with a function
to query the DNS, but that seems a little overkill.
Any thoughts?
--
Fabien.
I've proposed copying/backporting mod_macro to 2.4 !
Fine with me.
I would suggest to consider backporting "Warning" as well, which is used
by mod_macro non-regressions tests.
--
Fabien.
guration, maybe some carefully
designed example macros could be defined and use here and there to show
how great that can be?
Also, maybe some mention of the module should appear in "configuring" and
"sections" in the documentation?
--
Fabien
The only unresolved contribution is:
- Paul Mcilwaine ,
Mike Papper
(Mac OS X compiliation issue with boolean/false/true)
Fabien -- can you review/describe it here?
It was a bug report about mod_macro compilation on MacOS X. It defines a
boolean type with true and false constants
Thanks Fabien. I am striking out on a valid e-mail for Dirk. Do you
recall if he even sent in a patch, and if so the size/scope?
It was not a patch. It was a bug report about the "Warning & Error"
directives which were coredumping on Apache 2.2 because of changes between
pache 2.2)
- Jorge Schrauwen
(64 bits compilation "dsp" file)
- Marc M. Adkins
(Makefile for Windows compilation)
- Axel Beckert
(2 line fix to skip comments)
--
Fabien.
butor license agreement" required for mod_macro.
--
Fabien.
ts" or
declarations that can appear where their really needed, or whether I'm
implicitely expected to use conservative C89 anyway.
If the later is the right option, should not it be enforced explicitly
through configure?
--
Fabien
"UndefMacro xxx" or something similar.
I don't see any need for that. If there is a use case, then yes.
I do not really have a use case, but users have more imagination than me.
Without UndefMacro, it can lead to warnings on redefinitions that could
be considered noisy and could not be removed.
--
Fabien.
Dear httpd devs,
Mod_macro has been accepted for inclusion into Apache HTTP Server, and
my commit access has been extended to "httpd". I should do it when I have
time and I'm given the go ahead, hopefully within the month.
Some preliminary questions before doing anything.
The current module di
Galić +1
- Nick Kew +1
- MATSUMOTO Ryosue +1
- Günter Knauf +1
- Rich Bowen +1
Hopefull, someone will tell me if I have to do something.
--
Fabien.
I'm not sure
about whether it should be included or not in the default build.
--
Fabien.
Hello devs,
I have developed and maintained a small module called "mod_macro" since
1998. It is currently available at:
http://people.apache.org/~fabien/mod_macro/
I started it one day as was fed up with copy-pasting configuration
directives from one virtual host to th
> Take a look at the worker.c file, worker_pre_config function for an
> example of how to modify the configuration tree.
Ok. I'm going to investigate that. It seems that I'll need to restructure
the whole stuff for apache 2 instead of the minimum time port I hopped for
initially.
Fabien.
be great if I had a pre/post read hook, really?!
How can I get one? Or should I investigate the 'tree' stuff and try to
cast my stuff into that?
Thanks again for your help,
--
Fabien
suggest another hook I could use ? I can't see any...
and the developper documentation is rather scarse and not up to date.
3/ or explain what I missed in the source code to understand the logic
behind all that.
Thanks in advance for your help!
--
Fabien.
33 matches
Mail list logo