PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_authz_host: add "forward-dns" authorization provider
- trunk patch: http://svn.apache.org/r1734412
- 2.4.x patch: trunk should work (possible minor issue on next-number)
- +1: fabien, ylavic, jim
- ylavic: I would have liked more (doc) emphasis on the lower security of
- "Require forward-dns" vs "Require host"'s double DNS lookup but
- that could/should be a (short) follow up, though if it can be done
- before the third vote feel free to keep mine :)
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
<p>Apache's <directive module="mod_authz_core">Require</directive>
directive is used during the authorization phase to ensure that a user is allowed or
denied access to a resource. mod_authz_host extends the
- authorization types with <code>ip</code>, <code>host</code> and <code>local</code>.
+ authorization types with <code>ip</code>, <code>host</code>,
+ <code>forward-dns</code> and <code>local</code>.
Other authorization types may also be
used but may require that additional authorization modules be loaded.</p>
</section>
+<section id="reqfwddns"><title>Require forward-dns</title>
+
+ <p>The <code>forward-dns</code> provider allows access to the server
+ to be controlled based on simple host names. When
+ <code>Require forward-dns <var>host-name</var></code> is specified,
+ all IP addresses corresponding to <code><var>host-name</var></code>
+ are allowed access.</p>
+
+ <p>In contrast to the <code>host</code> provider, this provider does not
+ rely on reverse DNS lookups: it simply queries the DNS for the host name
+ and allows a client if its IP matches. As a consequence, it will only
+ work with host names, not domain names. However, as the reverse DNS is
+ not used, it will work with clients which use a dynamic DNS service.</p>
+
+ <highlight language="config">
+Require forward-dns bla.example.org
+ </highlight>
+
+ <p>A client the IP of which is resolved from the name
+ <code>bla.example.org</code> will be granted access.</p>
+
+</section>
+
<section id="reqlocal"><title>Require local</title>
<p>The <code>local</code> provider allows access to the server if any
return AUTHZ_DENIED;
}
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+ const char *require_line,
+ const void *parsed_require_line)
+{
+ const char *err = NULL;
+ const ap_expr_info_t *expr = parsed_require_line;
+ const char *require, *t;
+ char *w;
+
+ /* the require line is an expression, which is evaluated now. */
+ require = ap_expr_str_exec(r, expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+ "Can't evaluate require expression: %s", err);
+ return AUTHZ_DENIED;
+ }
+
+ /* tokenize expected list of names */
+ t = require;
+ while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+
+ apr_sockaddr_t *sa;
+ apr_status_t rv;
+ char *hash_ptr;
+
+ /* stop on apache configuration file comments */
+ if ((hash_ptr = ap_strchr(w, '#'))) {
+ if (hash_ptr == w) {
+ break;
+ }
+ *hash_ptr = '\0';
+ }
+
+ /* does the client ip match one of the names? */
+ rv = apr_sockaddr_info_get(&sa, w, APR_UNSPEC, 0, 0, r->pool);
+ if (rv == APR_SUCCESS) {
+
+ while (sa) {
+ int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+ "access check for %s as '%s': %s",
+ r->useragent_ip, w, match? "yes": "no");
+ if (match) {
+ return AUTHZ_GRANTED;
+ }
+
+ sa = sa->next;
+ }
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+ "No sockaddr info for \"%s\"", w);
+ }
+
+ /* stop processing, we are in a comment */
+ if (hash_ptr) {
+ break;
+ }
+ }
+
+ return AUTHZ_DENIED;
+}
+
static authz_status local_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
&host_parse_config,
};
+static const authz_provider authz_forward_dns_provider =
+{
+ &forward_dns_check_authorization,
+ &host_parse_config,
+};
+
static const authz_provider authz_local_provider =
{
&local_check_authorization,
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
AUTHZ_PROVIDER_VERSION,
&authz_host_provider, AP_AUTH_INTERNAL_PER_CONF);
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns",
+ AUTHZ_PROVIDER_VERSION,
+ &authz_forward_dns_provider,
+ AP_AUTH_INTERNAL_PER_CONF);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "local",
AUTHZ_PROVIDER_VERSION,
&authz_local_provider, AP_AUTH_INTERNAL_PER_CONF);
+++ /dev/null
-/* Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * @file mod_ssl_openssl.h
- * @brief Interface to OpenSSL-specific APIs provided by mod_ssl
- *
- * @defgroup MOD_SSL mod_ssl_openssl
- * @ingroup APACHE_MODS
- * @{
- */
-
-#ifndef __MOD_SSL_OPENSSL_H__
-#define __MOD_SSL_OPENSSL_H__
-
-#include "mod_ssl.h"
-
-/* OpenSSL headers */
-
-#ifndef SSL_PRIVATE_H
-#include <openssl/opensslv.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
-/* must be defined before including ssl.h */
-#define OPENSSL_NO_SSL_INTERN
-#endif
-#include <openssl/ssl.h>
-#endif
-
-/**
- * init_server hook -- allow SSL_CTX-specific initialization to be performed by
- * a module for each SSL-enabled server (one at a time)
- * @param s SSL-enabled [virtual] server
- * @param p pconf pool
- * @param is_proxy 1 if this server supports backend connections
- * over SSL/TLS, 0 if it supports client connections over SSL/TLS
- * @param ctx OpenSSL SSL Context for the server
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server,
- (server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx))
-
-/**
- * pre_handshake hook
- * @param c conn_rec for new connection from client or to backend server
- * @param ssl OpenSSL SSL Connection for the client or backend server
- * @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
- (conn_rec *c, SSL *ssl, int is_proxy))
-
-/**
- * proxy_post_handshake hook -- allow module to abort after successful
- * handshake with backend server and subsequent peer checks
- * @param c conn_rec for connection to backend server
- * @param ssl OpenSSL SSL Connection for the client or backend server
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
- (conn_rec *c, SSL *ssl))
-
-#endif /* __MOD_SSL_OPENSSL_H__ */
-/** @} */
projects / apache / commitdiff