On 25-03-2012 00:12, John Karr wrote:
I hadn't want to mention what I was thinking of doing as an
alternative, because I really hoped that there was a better answer
that I had failed to read/find the documentation on!
My two solutions in mind were (a) the application that maintains the
ip list writes out a fresh copy of the ip allow from config file and a
cron job periodically restarts apache (b) my stored procedure that
apache uses for checking passwords takes the ip address as an added
parameter and have the database check the ip address. I don't like (a)
because it will require me to restart the server frequently or accept
a long potential delay in updates to the ip table. I don't like (b)
because I would rather a user from an unauthorized address be
completely blocked and not even redirected to login and when working
on the config I would prefer separate queries/stored_procedures for ip
and credentials.
It's still only early Monday morning - perhaps some wiz kid will wake up
and give the right answer soon.
In the meantime; httpd comes with a set of modules and directives that
will satisfy 99% of the population, but there will always be things that
have either not been thought of, or are better suited as third party
modules. There is, after all, a very useful API built into httpd that
you can make use of rather easy and fast if you have special needs for
your web server. So, when in doubt, make a module!
And so I did; I made an example module that takes a text file (with a
caching mechanism for only reading it if/when it updates), rifles
through it, and checks if an IP is on the list or not. The example
module source code can be found at
http://www.humbedooh.com/mod_gatekeeper.zip and works with 2.4. The
simple directives that you can put into place are:
<Location /foo/bar>
GKEngine on
GKAllow ip /foo/bar/allowed_ips.txt
GKDeny ip /foo/bar/denied_ips.txt
</Location>
This is somewhat like writing a new .htaccess with updated rules
whenever the IP list changes, but it has the advantage of being
significantly faster in its execution since it only reads changes to
your list when they occur.
One could (and I probably will) continue to work on this module,
eventually allowing one to make more complex requirements using mod_dbd
as a database gateway, such as:
<Location /foo>
GKAllow REMOTE_HOST in mod_dbd using "SELECT `ip` FROM
`grantedlist` WHERE `ip` = ?"
GKAllow REMOTE_USER,REMOTE_PASSWORD in mod_dbd using "SELECT `user`
FROM `grantedusers` WHERE `user` = ? AND `password` = MD5(?)"
GKDeny from file /foo/bar/deny.txt
</Location>
I'm guessing this is more along the lines you had in mind? If so, I'll
likely continue to work on this module over the course of the summer,
and if it wasn't exactly what you had in mind, any input or opinions you
may have are of course very welcome either on users@, or private to
humbed...@apache.org.
With regards,
Daniel.