Hello Apache devs,
Would anyone have an opinion, please?
Although I can just commit the proposed changes, a formal go would be
nice.
On Sun, 20 Dec 2015, Fabien wrote:
Date: Sun, 20 Dec 2015 09:44:55 +0100 (CET)
From: Fabien <fab...@apache.org>
Reply-To: dev@httpd.apache.org
To: APACHE development mailing list <dev@httpd.apache.org>
Subject: access control for dynamic hosts
Hello folks,
I have a simple access control use case for which I have not found a clean
solution.
I want to control access to a service based on the name of the client,
however the client is a dynamic host, which implies that:
(1) I do not have any control about the reverse DNS
=> this rules out "Require host"
(2) the IP may change arbitrarily
=> this rules out "Require ip"
By browsing around it seems that I'm not alone having this issue, and I have
not found any solution for that with apache configuration, nor a matching
module in "modules.apache.org" listing.
The current workaround is to update the IP manually when it fails. Although I
could automate (say query the ip periodically and update & reload the conf if
there is a change), ISTM that it really belongs to apache configuration.
I would like something like "Require XXX foo.dynamic-dns.somewhere" (where
XXX could be "name", "hostname", "dynamic", ...) which would query the NS
when the HTTP request is received and check that the corresponding ip is the
client IP.
I'm planing to develop a small module for that, and as it is somehow quite a
basic service it could be a candidate for being added to
"modules/aaa/mod_authz_host.c".
Another approach could be to extend apache expressions with a function
to query the DNS, but that seems a little overkill.
Any thoughts?
--
Fabien.
