On 24-03-2012 02:38, John Karr wrote:
I have an application that uses both ip and credentials authentication,
currently to update the "allow from" I have to edit a file and restart the
server. My next release will be using Apache 2.4 with dbd authentication, I
was wondering if there were a way to either have apache get its' ip address
list for "allow from" from the database or to dynamically update the list
apache was using without needing to restart the server.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
I have a way, but it's not necessarily pretty, and someone should
probably shoot me for mentioning this.
What you can do, since the dawn of Man (or, since mod_rewrite), is use
RewriteMap creatively and run it through a program, that checks if the
IP is on a white-list, and if not, rewrite the URI to serve a static
"forbidden!" file. The idea is that, as you can pass on any httpd
argument, header etc in a rewrite, you can pass on both the IP and the
request URI to a program, that then splits it up, checks the IP, and if
it checks out, passes back the URI.
First off, you would need to apply something like this to your
configuration:
<Directory "/path/to/forbidden/zone">
RewriteMap checkip prg:/path/to/checkip.pl
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}
</Directory>
You would then have a corresponding program (checkip.pl) running (httpd
takes care of running this in the background for you):
#!/usr/bin/perl
$| = 1; # Turn off I/O buffering
sub DatabaseLookup {
#doStuffHere();
}
while (<STDIN>) { #For each incoming IP request, look it up in the db.
($ip, $uri) = split(/:/); #Separate the IP and the URI in the
string httpd gave us
#Run some checks here to see if the IP matches one on our list
if (DatabaseLookup($ip) == 1) {
print($uri); # Allow the request through, unaltered
}
else { # If the IP isn't on our list, then...
print("/forbidden.html\n"); # Redirect to some static error file
}
}
As mentioned, this is probably but one of the methods you could use, and
it's prone to be a bottleneck if you have a lot of requests going on at
once - but I've tested it and it works, so that's at least something.
I'm done - send in the firing squad.
With regards,
Daniel.