On Thu, Apr 30, 2015 at 10:36 AM, Andy Goth <andrew.m.g...@gmail.com> wrote:
> Seems I have a lot of people trying to access my repository who have no > business doing so: > > I'd like to limit access based on the HTTP/1.1 Host: header. If Host: > isn't un.is-a-geek.com or un.is-a-geek.com. (note final period) then > just drop the connection. > The HTTP Host header field is the name of "targeted" server, not the client's host. This field is used to support virtual hosting. Limiting by client host can be accomplished by adding rules to iptables (or whatever your system uses) to only let certain address ranges through to the port. > A further refinement would be virtual hosting in which different Host: > values map to different repositories. I don't need this feature, but > others might. > If you mean traditional Host field based virtual hosting, a light weight HTTP server, such as lighttp, can do this, either forwarding to the appropriate Fossil server, or running Fossil in CGI mode. If you mean the client's host, then, I think, rules in iptables can route the request to different ports. This might require installing an optional kernel module. > If it's not already clear, this particular repository should only be > accessible to a handful of people. Anonymous access is already > disabled, but I ought to do SSL to shut out anyone sniffing the network. > However, the server uses a 350MHz PII with 256MB RAM, so this might be > tight. > I think stunnel won't overburden your server. (Side note: stunnel supports forwarding connections to an always running server, but Fossil's documentation only discusses run-on-demand operation with stunnel.) Have you considered SSH? I realize you might need to have sshd listen on port 80, but that is configurable. The authorized keys files on the server can specify a command to automatically run, or even auto-configure a tunnel. This way, any particular user can be "routed" to the Fossil server for their project.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users