Welcome to WebmasterWorld Guest from 54.204.74.171

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Apache DNS lookups

on one directory?

   
8:37 pm on May 13, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I'd like to lock down a directory for my users. Is it possible to use DNS Lookups for a single directory but not for all directories?
9:05 pm on May 13, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I don't understand your question.
DNS lookups typically occur when a client program needs to resolve the IP address of a hostname, so before the path itself comes into play.
12:48 am on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Sorry phranque, my bad. I meant reverse lookup. And I'm on the edge of my knowledge here too...
2:57 am on May 14, 2013 (gmt 0)

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



It looks like you can indeed set up Apache to only do host lookups on a directory level.

[httpd.apache.org...]

(There's an anchor in that link that may break in the redirect script)
5:15 am on May 14, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



regarding the HostNameLookups directive it would be easiest to do this in your server config file using a <Directory> container.
it's possible in .htaccess but only by using a <Files> container which means you need to put the .htaccess file containing this IN the directory in question.

however i think the HostNameLookups directive only affects hostname logging.


i think what you really need is Apache Module mod_authz_host:
http://httpd.apache.org/docs/current/mod/mod_authz_host.html [httpd.apache.org]

this module uses the Require directive and if you do something like Require host example.com it "will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive."
this is expensive in terms of latency so only do this where required.
therefore you'll probably still want/need to configure this in a similar context/container as i described above.
11:56 am on May 14, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Thanks guys.

Re: latency, I'm planning on using this on WP Admin directories only. I don't want to impact the public side of the sites. So just having that module loaded doesn't necessarily slow the webserver down. It's only when it's called that causes latency?
12:10 pm on May 14, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



yes - as i understand it only contexts/containers with the "Require host" directive would be affected by the double reverse DNS lookup.
5:15 pm on May 15, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Thanks phranque.

Reading through the Apache documentation I came across this how to on Access Control by Host: [httpd.apache.org...]

I'm not clear on how to use it. Does the Require directive perform a Deny All but the host name or IP given?

Require host address
Require ip ip.address


Would this block mobile devices if I specified the host and ip?
7:46 pm on May 15, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Would this block mobile devices if I specified the host and ip?

Do you mean mobiles as such? No, not unless you also had something about user-agent in there. Otherwise it would depend on whether the mobile is connecting through an ordinary ISP, or via a cell-phone service. I don't think there's any way to tell whether a connection is through WiFi or through a physical line, except indirectly by looking at the UA.

There's a whole family of authz modules. mod_authz_host is only one of them.

The "Require" directive can be used with environmental variables. And since mod_setenvif can look at just about any aspect of the request, this in turn means you can set just about any rules you like. So work from the other end: First decide exactly what you want to do and put it in plain English. Once you've got that far, translating it into apache should be trivial.

And incidentally, what are we doing here? Isn't this an Apache question?
10:15 pm on May 15, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Would this block mobile devices if I specified the host and ip?


not necessarily.
Require host and Require ip both start with the IP address from which the HTTP Request originated.
if you specified Require not host and/or Require not ip and that host or IP address happens to be a mobile service provider, then yes you can use that to block some mobile devices that happen to get their internet access through their mobile service provider.
however you cannot use Require host or Require ip to block a mobile device that happens to be accessing that not-specifically-mobile-service-provider through wifi, for example.

decide exactly what you want to do and put it in plain English

what she said...
5:26 pm on May 17, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



And incidentally, what are we doing here? Isn't this an Apache question?

Yes by gawd it is. My bad.

Desired goal is this. I want to block everyone but users of one IP address from getting to the WordPress login page and admin directory. From desktops or mobile devices - no one else allowed but I don't want to have to answer uname/pwd twice.
8:22 pm on May 17, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



There are times when it's appropriate to have more than one htaccess file, and this may be one of those times. If it's your own server the question doesn't arise because you can make the appropriate <Directory> envelope.

Rock-bottom easiest version:

Put an htaccess file in the directory you want to protect. It only needs three lines.

Order Deny,Allow
Deny from all
Allow from aa.bb.cc.dd

For individual files, you can do the same thing in a <Files> envelope.

You shouldn't need to do any kind of lookup. Just give the numerical IP address.

Oh, and as long as you're there: change the names of your protected files and directories to something robots won't easily guess. Scan your logs for long blocks of 404s and you can see what they usually try. (I get them periodically myself-- and I don't even use WordPress!)
3:18 pm on May 18, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Thanks. That works for desktops but as I understand it, won't work for mobile devices. They don't use IP addresses.
6:33 pm on May 18, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Say what now?
12:22 am on May 19, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



every request from any web-enabled device will originate from an IP address.
5:44 pm on May 20, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Had to go reread the resource that lead me to that statement.

It is correct, mobile devices don't use IP addresses but they will leave an IP footprint because the carrier that gives them access to the INet will connect with an IP. Which is the part I didn't must have skipped over. Thanks for making me reread it.
8:40 pm on May 20, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



that's not much different from your desktop computer at home.
the modem gets assigned an IP address by your ISP and the computer makes requests through that IP address.
a mobile device might access the web through the same wifi/router/modem as your desktop or it might get assigned an IP through the wireless service provider, depending on your internet access settings on that device.
11:19 pm on May 20, 2013 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Right. But when I read it I only paid attention to the "mobile devices have no IP" portion and had a moment of "how do I block them?" Now I know better.