From: Ken Coar <coar@apache.org>
Date: Sat, 26 Apr 1997 12:21:14 +0000 (+0000)
Subject: 	Added Q&A concerning access restriction by host/domain name,
X-Git-Tag: APACHE_1_2b9~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1329fb92f95f4d140825e70f86df0997a0e2e018;p=apache

	Added Q&A concerning access restriction by host/domain name,
	and cleaned up a couple of nit.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@78025 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/misc/FAQ.html b/docs/manual/misc/FAQ.html
index 40b63846a8..c38a899beb 100644
--- a/docs/manual/misc/FAQ.html
+++ b/docs/manual/misc/FAQ.html
@@ -8,7 +8,7 @@
   <!--#include virtual="header.html" -->
   <H1>Apache Server Frequently Asked Questions</H1>
   <P>
-  $Revision: 1.43 $ ($Date: 1997/04/26 06:58:39 $)
+  $Revision: 1.44 $ ($Date: 1997/04/26 12:21:14 $)
   </P>
   <P>
   The latest version of this FAQ is always available from the main
@@ -25,7 +25,7 @@
 <!--    on his own system, which may not be configured for          -->
 <!--    multiviews.   Leave off the ".html" extension for absolute  -->
 <!--    links to sites which are known to run multiviews (e.g.,     -->
-<!--    apache.or or apacheweek.com).                               -->
+<!--    apache.org or apacheweek.com).                              -->
 <!--  - When adding items, make sure they're put in the right place -->
 <!--    - verify that the numbering matches up.                     -->
 <!--  - Don't forget to include an HR tag after the last /P tag     -->
@@ -42,8 +42,6 @@
 <!-- - can't bind to port 80                                        -->
 <!--   - permission denied                                          -->
 <!--   - address already in use                                     -->
-<!-- - access control based on DNS name really needs MAXIMUM_DNS    -->
-<!--   and double-check that rDNS resolves to name expected         -->
 <!-- - mod_auth & passwd lines "user:pw:.*" - ++1st colon onward is -->
 <!--   treated as pw, not just ++1st to --2nd.                      -->
 <!-- - SSL:                                                         -->
@@ -127,7 +125,7 @@
    <LI><A HREF="#cookies1">Why does Apache send a cookie on every response?</A>
    </LI>
    <LI><A HREF="#cookies2">Why don't my cookies work, I even compiled in 
-    mod_cookies?</A>
+    <SAMP>mod_cookies</SAMP>?</A>
    </LI>
    <LI><A HREF="#jdk1-and-http1.1">Why do my Java app[let]s give me plain text
     when I request an URL from an Apache server?</A>
@@ -150,6 +148,9 @@
    <LI><A HREF="#wheres-the-dump">The errorlog says Apache dumped core,
     but where's the dump file?</A>
    </LI>
+   <LI><A HREF="#dnsauth">Why isn't restricting access by host or domain name
+    working correctly?</A>
+   </LI>
    <LI><A HREF="#SSL-i">Why doesn't Apache include SSL?</A>
    </LI>
   </OL>
@@ -254,7 +255,7 @@
   <P>
   The Apache project's web site includes a page with a partial list of
   <A
-   HREF="http://www.apache.org/info/apache_users.html"
+   HREF="http://www.apache.org/info/apache_users"
   >sites running Apache</A>.
   </P>
   <HR>
@@ -286,7 +287,7 @@
   be swamped by a flood of trivial questions that can be resolved elsewhere.
   Bug reports and suggestions should be sent <EM>via</EM>
   <A
-   HREF="http://www.apache.org/bug_report.html"
+   HREF="http://www.apache.org/bug_report"
   >the bug report page</A>.
   Other questions should be directed to the
   <A
@@ -872,9 +873,9 @@
   module.
   This module was distributed with Apache prior to 1.2.
   This module may help track users, and uses cookies to do this. If
-  you are not using the data generated by mod_cookies, do not compile
-  it into Apache. Note that in 1.2 this module was renamed to the
-  more correct name 
+  you are not using the data generated by <SAMP>mod_cookies</SAMP>, do
+  not compile it into Apache. Note that in 1.2 this module was renamed
+  to the more correct name 
   <A
    HREF="../mod/mod_usertrack.html"
   ><SAMP>mod_usertrack</SAMP></A>,
@@ -888,16 +889,21 @@
   <HR>
  </LI>
  <LI><A NAME="cookies2">
-      <STRONG>Why don't my cookies work, I even compiled in mod_cookies?
+      <STRONG>Why don't my cookies work, I even compiled in
+      <SAMP>mod_cookies</SAMP>?
       </STRONG>
      </A>
   <P>
-  Firstly, you do <EM>not</EM> need to compile in mod_cookies in order
-  for your scripts to work (see the <A HREF="#cookies1">previous question</A>
-  for more about mod_cookies). Apache passes on your Set-Cookie header
-  fine, with or without this module. If cookies do not work it will
-  be because your script does not work properly or your browser does
-  not use cookies or is not set-up to accept them.
+  Firstly, you do <EM>not</EM> need to compile in
+  <SAMP>mod_cookies</SAMP> in order for your scripts to work (see the
+  <A
+   HREF="#cookies1"
+  >previous question</A>
+  for more about <SAMP>mod_cookies</SAMP>). Apache passes on your
+  <SAMP>Set-Cookie</SAMP> header fine, with or without this module. If
+  cookies do not work it will be because your script does not work
+  properly or your browser does not use cookies or is not set-up to
+  accept them.
   </P>
   <HR>
  </LI>
@@ -1089,6 +1095,50 @@
   </P>
   <HR>
  </LI>
+ <LI><A NAME="dnsauth">
+      <STRONG>Why isn't restricting access by host or domain name
+      working correctly?</STRONG>
+     </A>
+  <P>
+  Two of the most common causes of this are:
+  </P>
+  <OL>
+   <LI><STRONG>An error, inconsistency, or unexpected mapping in the DNS
+    registration</STRONG>
+    <BR>
+    This happens frequently: your configuration restricts access to
+    <SAMP>Host.FooBar.Com</SAMP>, but you can't get in from that host.
+    The usual reason for this is that <SAMP>Host.FooBar.Com</SAMP> is
+    actually an alias for another name, and when Apache performs the
+    address-to-name lookup it's getting the <EM>real</EM> name, not
+    <SAMP>Host.FooBar.Com</SAMP>.  You can verify this by checking the
+    reverse lookup yourself.  The easiest way to work around it is to
+    specify the correct host name in your configuration.
+   </LI>
+   <LI><STRONG>Inadequate checking and verification in your
+    configuration of Apache</STRONG>
+    <BR>
+    If you intend to perform access checking and restriction based upon
+    the client's host or domain name, you really need to configure
+    Apache to double-check the origin information it's supplied.  You do
+    this by adding the <SAMP>-DMAXIMUM_DNS</SAMP> clause to the
+    <SAMP>EXTRA_CFLAGS</SAMP> definition in your
+    <SAMP>Configuration</SAMP> file.  For example:
+    <DL>
+     <DD><CODE>EXTRA_CFLAGS=-DMAXIMUM_DNS</CODE>
+     </DD>
+    </DL>
+    <P>
+    This will cause Apache to be very paranoid about making sure a
+    particular host address is <EM>really</EM> assigned to the name it
+    claims to be.  Note that this <EM>can</EM> incur a significant
+    performance penalty, however, because of all the name resolution
+    requests being sent to a nameserver.
+    </P>
+   </LI>
+  </OL>
+  <HR>
+ </LI>
  <LI><A NAME="SSL-i">
       <STRONG>Why doesn't Apache include SSL?</STRONG>
      </A>
@@ -1097,7 +1147,7 @@
   governments have restrictions upon the import, export, and use of
   encryption technology.  If Apache included SSL in the base package,
   its distribution would involve all sorts of legal and bureaucratic
-  issues., and it would no longer be freely available.  Also, some of
+  issues, and it would no longer be freely available.  Also, some of
   the technology required to talk to current clients using SSL is 
   patented by <A HREF="http://www.rsa.com/">RSA Data Security</A>, 
   who restricts its use without a license.