From 388a38d03c8db6141bf6b494d3e912d3afc0e7ab Mon Sep 17 00:00:00 2001
From: Joshua Slive <slive@apache.org>
Date: Thu, 31 Jul 2003 18:56:40 +0000
Subject: [PATCH] As suggested by Marc Slemko, document the double reverse
 effect of Allow/Deny.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100878 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_authz_host.html.en | 14 +++++++++-----
 docs/manual/mod/mod_authz_host.xml     | 16 ++++++++++------
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/docs/manual/mod/mod_authz_host.html.en b/docs/manual/mod/mod_authz_host.html.en
index d032a35ef2..da9ac2e7ce 100644
--- a/docs/manual/mod/mod_authz_host.html.en
+++ b/docs/manual/mod/mod_authz_host.html.en
@@ -106,11 +106,15 @@ server</td></tr>
       </code></p></div>
       <p>Hosts whose names match, or end in, this string are allowed
       access. Only complete components are matched, so the above
-      example will match <code>foo.apache.org</code> but it will
-      not match <code>fooapache.org</code>. This configuration will
-      cause the server to perform a reverse DNS lookup on the
-      client IP address, regardless of the setting of the <code class="directive"><a href="../mod/core.html#hostnamelookups">HostnameLookups</a></code>
-      directive.</p></dd>
+      example will match <code>foo.apache.org</code> but it will not
+      match <code>fooapache.org</code>. This configuration will cause
+      Apache to perform a double reverse DNS lookup on the client IP
+      address, regardless of the setting of the <code class="directive"><a href="../mod/core.html#hostnamelookups">HostnameLookups</a></code> directive.  It will do
+      a reverse DNS lookup on the IP address to find the associated
+      hostname, and then do a forward lookup on the hostname to assure
+      that it matches the original IP address.  Only if the forward
+      and reverse DNS are consistent and the hostname matches will
+      access be allowed.</p></dd>
 
       <dt>A full IP address</dt>
 
diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml
index 51069dde4d..9979548647 100644
--- a/docs/manual/mod/mod_authz_host.xml
+++ b/docs/manual/mod/mod_authz_host.xml
@@ -82,12 +82,16 @@ server</description>
       </example>
       <p>Hosts whose names match, or end in, this string are allowed
       access. Only complete components are matched, so the above
-      example will match <code>foo.apache.org</code> but it will
-      not match <code>fooapache.org</code>. This configuration will
-      cause the server to perform a reverse DNS lookup on the
-      client IP address, regardless of the setting of the <directive
-      module="core">HostnameLookups</directive>
-      directive.</p></dd>
+      example will match <code>foo.apache.org</code> but it will not
+      match <code>fooapache.org</code>. This configuration will cause
+      Apache to perform a double reverse DNS lookup on the client IP
+      address, regardless of the setting of the <directive
+      module="core">HostnameLookups</directive> directive.  It will do
+      a reverse DNS lookup on the IP address to find the associated
+      hostname, and then do a forward lookup on the hostname to assure
+      that it matches the original IP address.  Only if the forward
+      and reverse DNS are consistent and the hostname matches will
+      access be allowed.</p></dd>
 
       <dt>A full IP address</dt>
 
-- 
2.50.1