Re: [users@httpd] allow from based on database query (2.4)

Sat, 24 Mar 2012 00:03:53 -0700 

On 24-03-2012 02:38, John Karr wrote:

I have an application that uses both ip and credentials authentication,
currently to update the "allow from" I have to edit a file and restart the
server. My next release will be using Apache 2.4 with dbd authentication, I
was wondering if there were a way to either have apache get its' ip address
list for "allow from" from the database or to dynamically update the list
apache was using without needing to restart the server.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
I have a way, but it's not necessarily pretty, and someone should probably shoot me for mentioning this. What you can do, since the dawn of Man (or, since mod_rewrite), is use RewriteMap creatively and run it through a program, that checks if the IP is on a white-list, and if not, rewrite the URI to serve a static "forbidden!" file. The idea is that, as you can pass on any httpd argument, header etc in a rewrite, you can pass on both the IP and the request URI to a program, that then splits it up, checks the IP, and if it checks out, passes back the URI.
First off, you would need to apply something like this to your configuration: 
<Directory "/path/to/forbidden/zone">
RewriteMap checkip prg:/path/to/checkip.pl
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}
</Directory>
You would then have a corresponding program (checkip.pl) running (httpd takes care of running this in the background for you): 
#!/usr/bin/perl
$| = 1; # Turn off I/O buffering

sub DatabaseLookup {
    #doStuffHere();
}

while (<STDIN>) { #For each incoming IP request, look it up in the db.
($ip, $uri) = split(/:/); #Separate the IP and the URI in the string httpd gave us 

    #Run some checks here to see if the IP matches one on our list
    if (DatabaseLookup($ip) == 1) {
        print($uri); # Allow the request through, unaltered
    }
    else { # If the IP isn't on our list, then...
        print("/forbidden.html\n"); # Redirect to some static error file
    }
}
As mentioned, this is probably but one of the methods you could use, and it's prone to be a bottleneck if you have a lot of requests going on at once - but I've tested it and it works, so that's at least something. 

I'm done - send in the firing squad.

With regards,
Daniel.

Reply via email to