Hi.
Michael Alipio wrote:
I have the following directives in .htaccess in one of
my directories.
<LiMIT HEAD GET POST>
order allow,deny
allow from myhost.dyndns.org
</LIMIT>
Now for the testing:
dig myhost.dyndns.org.. the hostname resolves
properly.
When i tried it on my browser, i kept getting denied.
When I looked at my error log, it says, denied by
server configuration....
When i looked at accesslog. i saw that when my pc
accessed the website, apache did reverse lookup on the
IP and it has the hostname given by my ISP. not the
one i registered in dyndns.org. Basically I just want
to only allow my dynamic IP workstation to access a
particular directory in my website. seems like "allow
from hostname" is not working for me. I'm using the
latest apache2.
Any idea what might be causing this?
The first question is whether you should not just implement a simple
authentication for your server. It's really easy if you do not have
many users. Then you get rid of the IP-based control.
Look here :
http://httpd.apache.org/docs/2.2/en/mod/mod_auth_basic.html
and
<Location />
AuthType Basic (or Digest)
AuthName "pirates be gone"
AuthUserFile /web/users
Require valid user
</Location>
and look up htpasswd to create the users.
-- next, about what you are asking above --
I think you have the reasoning almost right, but not 100%.
When your httpd server receives the request, it knows only from which IP
it is coming, it doesn't know any name (yet).
When it encounters your "Allow from (domain)" line(s), it will try a DNS
reverse lookup with the IP, to check if this IP corresponds to any of
the domains given.
This reverse DNS lookup however will (at best) give back the name given
to this IP address by the dynamic address allocation system of your
provider, e.g. something like "tip2345.dialup-timbuctu.myisp.net".
This will not match the domain in the Allow directive, thus will be
rejected. (Or worse, your ISP does not do reverse IP registration, and
the request will return "NXdomain", and it will still not match in Apache).
Not recommended solution :
If it's not very critical, and you are quite sure that your server is
well-configured, and you notice that the DNS name your ISP is giving you
always ends in the same thing (like "dialup-timbuctu.myisp.net"), you
could always put a directive "Allow from dialup-timbuctu.myisp.net", but
understand what it does first, and don't tell anyone I told you to do
that. It basically restricts the IPs allowed to access your server from
several million to several tens of thousands.
So don't do this at work.
And forget I even mentioned that.
Better :
If you only need to do this occasionally, and have full control over the
server, then find out your current IP address and replace your "Allow
from (name)" by "Allow from (ip-address)" and restart Apache. You'll
have to redo this each time your IP changes.
If you do need this more often and find the above a pain, but still can
restart your server whenever you want, then the simplest way may be a
small script which will find out your IP address, go modify the Allow
line above in httpd.conf, and restart your server. Then make this an
icon on your desktop, so you can just click on it.
Perl is your friend for things like that.
If it's more permanent, then there might be another way, if you have a
DNS domain at which you can ask for changes :
It is possible to register a name in your own domain, and tell the DNS
server to go look up the dyndns.org name that you registered to get the
current IP address (*). Then your own domain's DNS server can answer
reverse DNS queries (and you'll have to make sure that your httpd server
is asking it first).
Then instead of saying "Allow from xyz.dyndns.org", you would say "Allow
from xyz.mydomain.com".
If your httpd server is at work, buy a beer to the DNS guy.
Of course, you will still have to make sure that the dyndns IP
registration is kept current when your real IP changes, but I suppose
you already do that.
And finally, if you're really adventurous, you could write a mod_perl
add-on module for Apache (as a PerlAccessHandler), that will do all this
dynamically for you each time you connect. Then maybe the DNS guy will
buy you a beer, because he could use it too.
But maybe go check the CPAN first, someone else may have preceded you.
There might be smarter ways to do this, and I'm sure other people have
better ideas. But maybe then, you should tell on which platform you
are, with which version of Apache.
André
(*) essentially, you are telling your own DNS server that
"xyz.mycompany.com" is an alias for "xyz.dyndns.org".
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]