homepage Welcome to WebmasterWorld Guest from 54.211.219.178
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Apache DNS lookups
on one directory?
lorax




msg:4573698
 8:37 pm on May 13, 2013 (gmt 0)

I'd like to lock down a directory for my users. Is it possible to use DNS Lookups for a single directory but not for all directories?

 

phranque




msg:4573719
 9:05 pm on May 13, 2013 (gmt 0)

I don't understand your question.
DNS lookups typically occur when a client program needs to resolve the IP address of a hostname, so before the path itself comes into play.

lorax




msg:4573803
 12:48 am on May 14, 2013 (gmt 0)

Sorry phranque, my bad. I meant reverse lookup. And I'm on the edge of my knowledge here too...

brotherhood of LAN




msg:4573877
 2:57 am on May 14, 2013 (gmt 0)

It looks like you can indeed set up Apache to only do host lookups on a directory level.

[httpd.apache.org...]

(There's an anchor in that link that may break in the redirect script)

phranque




msg:4573898
 5:15 am on May 14, 2013 (gmt 0)

regarding the HostNameLookups directive it would be easiest to do this in your server config file using a <Directory> container.
it's possible in .htaccess but only by using a <Files> container which means you need to put the .htaccess file containing this IN the directory in question.

however i think the HostNameLookups directive only affects hostname logging.


i think what you really need is Apache Module mod_authz_host:
http://httpd.apache.org/docs/current/mod/mod_authz_host.html [httpd.apache.org]

this module uses the Require directive and if you do something like Require host example.com it "will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive."
this is expensive in terms of latency so only do this where required.
therefore you'll probably still want/need to configure this in a similar context/container as i described above.

lorax




msg:4574031
 11:56 am on May 14, 2013 (gmt 0)

Thanks guys.

Re: latency, I'm planning on using this on WP Admin directories only. I don't want to impact the public side of the sites. So just having that module loaded doesn't necessarily slow the webserver down. It's only when it's called that causes latency?

phranque




msg:4574041
 12:10 pm on May 14, 2013 (gmt 0)

yes - as i understand it only contexts/containers with the "Require host" directive would be affected by the double reverse DNS lookup.

lorax




msg:4574456
 5:15 pm on May 15, 2013 (gmt 0)

Thanks phranque.

Reading through the Apache documentation I came across this how to on Access Control by Host: [httpd.apache.org...]

I'm not clear on how to use it. Does the Require directive perform a Deny All but the host name or IP given?

Require host address
Require ip ip.address


Would this block mobile devices if I specified the host and ip?

lucy24




msg:4574494
 7:46 pm on May 15, 2013 (gmt 0)

Would this block mobile devices if I specified the host and ip?

Do you mean mobiles as such? No, not unless you also had something about user-agent in there. Otherwise it would depend on whether the mobile is connecting through an ordinary ISP, or via a cell-phone service. I don't think there's any way to tell whether a connection is through WiFi or through a physical line, except indirectly by looking at the UA.

There's a whole family of authz modules. mod_authz_host is only one of them.

The "Require" directive can be used with environmental variables. And since mod_setenvif can look at just about any aspect of the request, this in turn means you can set just about any rules you like. So work from the other end: First decide exactly what you want to do and put it in plain English. Once you've got that far, translating it into apache should be trivial.

And incidentally, what are we doing here? Isn't this an Apache question?

phranque




msg:4574540
 10:15 pm on May 15, 2013 (gmt 0)

Would this block mobile devices if I specified the host and ip?


not necessarily.
Require host and Require ip both start with the IP address from which the HTTP Request originated.
if you specified Require not host and/or Require not ip and that host or IP address happens to be a mobile service provider, then yes you can use that to block some mobile devices that happen to get their internet access through their mobile service provider.
however you cannot use Require host or Require ip to block a mobile device that happens to be accessing that not-specifically-mobile-service-provider through wifi, for example.

decide exactly what you want to do and put it in plain English

what she said...

lorax




msg:4575058
 5:26 pm on May 17, 2013 (gmt 0)

And incidentally, what are we doing here? Isn't this an Apache question?

Yes by gawd it is. My bad.

Desired goal is this. I want to block everyone but users of one IP address from getting to the WordPress login page and admin directory. From desktops or mobile devices - no one else allowed but I don't want to have to answer uname/pwd twice.

lucy24




msg:4575095
 8:22 pm on May 17, 2013 (gmt 0)

There are times when it's appropriate to have more than one htaccess file, and this may be one of those times. If it's your own server the question doesn't arise because you can make the appropriate <Directory> envelope.

Rock-bottom easiest version:

Put an htaccess file in the directory you want to protect. It only needs three lines.

Order Deny,Allow
Deny from all
Allow from aa.bb.cc.dd

For individual files, you can do the same thing in a <Files> envelope.

You shouldn't need to do any kind of lookup. Just give the numerical IP address.

Oh, and as long as you're there: change the names of your protected files and directories to something robots won't easily guess. Scan your logs for long blocks of 404s and you can see what they usually try. (I get them periodically myself-- and I don't even use WordPress!)

lorax




msg:4575275
 3:18 pm on May 18, 2013 (gmt 0)

Thanks. That works for desktops but as I understand it, won't work for mobile devices. They don't use IP addresses.

lucy24




msg:4575306
 6:33 pm on May 18, 2013 (gmt 0)

Say what now?

phranque




msg:4575363
 12:22 am on May 19, 2013 (gmt 0)

every request from any web-enabled device will originate from an IP address.

lorax




msg:4575836
 5:44 pm on May 20, 2013 (gmt 0)

Had to go reread the resource that lead me to that statement.

It is correct, mobile devices don't use IP addresses but they will leave an IP footprint because the carrier that gives them access to the INet will connect with an IP. Which is the part I didn't must have skipped over. Thanks for making me reread it.

phranque




msg:4575878
 8:40 pm on May 20, 2013 (gmt 0)

that's not much different from your desktop computer at home.
the modem gets assigned an IP address by your ISP and the computer makes requests through that IP address.
a mobile device might access the web through the same wifi/router/modem as your desktop or it might get assigned an IP through the wireless service provider, depending on your internet access settings on that device.

lorax




msg:4575923
 11:19 pm on May 20, 2013 (gmt 0)

Right. But when I read it I only paid attention to the "mobile devices have no IP" portion and had a moment of "how do I block them?" Now I know better.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved