4

I want to allow access to a folder from a "domain name" instead of IP address in apache. Now, allow from accepts domains as arguments, but I think it also does a reverse DNS lookup to cross check (which is good but too strict for me). Is there a way to configure apache not to do the reverse dns check (for that particular allow from directive).

((Basically, I want to allow access only from my PC, which has a dynamic IP address. I have mapped it to a domain using DynDns - however the reverse lookup of my "dynamic IP" will not resolve to the domain)).

Alternately, if someone can suggest a free service that also configures reverse DNS lookup for my dynamic IP (dont know if its possible in first place), that would do the trick as well.

Thanks!

JP

  • Forgive the query, but how do you propose that apache should know what domain the connection comes from *without* doing a reverse-lookup on the address? – MadHatter Oct 20 '10 at 07:26
  • Which OS is your server running on ? – user9517 Oct 20 '10 at 08:53
  • @MadHatter: This is what I thought - if I browse a site, it can detect my IP address (just like whatismyip.com or any website for that matter). Now, I thought that if my Apache directive is say "Allow from mypersonalpc.webhop.net", then apache will do forward lookup on mypersonalpc.webhop.net, and then see if it matches the IP address of the person browsing the site. Am I missing something here? My problem is that forward dns lookup on mypersonalpc.webhop.net resolves to my current IP, but reverse lookup on my IP resolves to my ISP, and not mypersonalpc.webhop.net. –  Oct 20 '10 at 13:25
  • @lain: I am on linux. Ubuntu. –  Oct 20 '10 at 13:28
  • Hmm.. looks like I need to learn more. Apparently, the server has access to remote hostname, not remote IP, and then to get IP it does a reverse lookup, right? –  Oct 20 '10 at 13:54
  • No. It has access to IP, and does a reverse-lookup on that to get to hostname. Bryan's answer below explains it better than I do, plus he references apache's own documentation. It's definitive. – MadHatter Oct 20 '10 at 14:16

2 Answers2

2

Short answer is no, as Apache's Allow from must do a reverse and forward DNS lookup:

"This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed."

My recommendation would be to put some sort of authentication on that particular directory instead of trying to restrict by hostname.

Bryan White
  • 606
  • 3
  • 5
  • I planned to put authentication also but thought would make it more secure by using AllowFrom. I have an idea - just like the DynDns update script, I will write a script to upload a .htacess file to my server everytime my personal machines IP changes. –  Oct 20 '10 at 13:27
2

Update: If you have an Apache version >= 2.4.19, you can use

Require forward-dns yourhost.example.com

This does not do a reverse lookup. And of course, it then requires full host names. See Apache's docs on "Require forward-dns" for details.

For older Apache versions:

Normally, you cannot use Allow From with dynamic hosts (for which the reverse DNS generally points to your ISP). But I wanted that anyway for some pages which were not worth protecting with authentication. So this is my workaround.

My server is configured to first use the /etc/hosts file before DNS. This is done by adding order hosts,bind to /etc/host.conf:

# cat /etc/host.conf 
order hosts,bind
multi on

I have a cron job updating the hosts file every 15 minutes with my current dynamic external IPs. In my case, I have my own subdomain on my own DNS, and want to update several hosts. The update script I call from cron is:

#!/bin/sh
## Update /etc/hosts with our dynamic hosts

# dig ends the domain name with a dot, so we need it
domain=dyn.example.com.

die() {
    echo "$1" 1>&2
    exit 1;
}

tmpfile=$(mktemp "/tmp/hosts.XXXXX")
cp -a /etc/hosts $tmpfile || die "Cannot copy /etc/hosts to $tmpfile"

perl -i -ne "print unless /\Q$domain\E\s/" $tmpfile || die "Cannot remove $domain from $tmpfile"

dig -t AXFR $domain | \
  perl -lne '/^(\S+)\s+\d+\s+IN\s+A\s+(\S+)/ && print "$2 $1"' >> $tmpfile \
  || die "Cannot add $domain entries to $tmpfile"

mv $tmpfile /etc/hosts || die "Error cannot mv $tmpfile to /etc/hosts"

If you have a single host to update, your script can be much simpler than that.

mivk
  • 4,004
  • 3
  • 37
  • 32
  • dig -t AXFR rarely works. Better use -t ANY or -t A and -t AAAA AXFR is zone transfer, which should not be allowed – Geeklab Mar 30 '15 at 07:57