Received: (qmail 26307 invoked by uid 2012); 8 Dec 1997 23:26:43 -0000 Message-Id: <19971208232643.26306.qmail@hyperreal.org> Date: 8 Dec 1997 23:26:43 -0000 From: Samuli "Kärkkäinen" Reply-To: sak@iki.fi To: apbugs@hyperreal.org Subject: 'allow from' only allows access when given ip addresses, subnet arguments (a.b.c.d/x) refuse access X-Send-Pr-Version: 3.2 >Number: 1534 >Category: mod_access >Synopsis: 'allow from' only allows access when given ip addresses, subnet arguments (a.b.c.d/x) refuse access >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: doc-bug >Submitter-Id: apache >Arrival-Date: Mon Dec 8 15:30:00 PST 1997 >Last-Modified: Sat Dec 13 17:08:14 PST 1997 >Originator: sak@iki.fi >Organization: >Release: 1.2.4 >Environment: Linux 2.0.32, intel pentium, apache-1.2.4-5.i386.rpm >Description: My domain is using the so called "reverse kludge" for reverse DNS. I believe this is causing 'allow from' directive to accept only some forms of defining client address. Full configuration can be seen at http://www.kelloseppakoulu.fi:8888/. That URL maps to the configuration directory of that server. The configuration is very close to the example configuration that comes with apache distribution. With that configuration access is allowed from everywhere, as it should. The following discussion applies to our domain (which, as mentioned, uses reverse kludge for reverse DNS). If I replace 'allow from all' with allow from 194.100.26.178 which is the address of my computer in that LAN, I am correctly given access. If I replace it with allow from 194.100.26.128/26 or allow from kelloseppakoulu.fi or allow from .fi all of which should grant access to all hosts in our domain, no host in our domain is given access. If I try access the server from other domains (which do not use reverse DNS kludge), following applies. If I replace 'allow from all' with allow from 0.0.0.0/0 or allow from a.b.c.d/16 and access the server from a.b.x.y, I am not given access although I should, and if I replace 'allow from all' with allow from .hut.fi and access the server from alpha.hut.fi, I am given access as I should. >How-To-Repeat: - >Fix: >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: dgaudet State-Changed-When: Mon Dec 8 15:39:11 PST 1997 State-Changed-Why: a.b.c.d/n is a 1.3 feature, it doesn't work in 1.2. The documentation on our website is for 1.3. It should mention this difference, sorry. Dean Class-Changed-From-To: sw-bug-doc-bug Class-Changed-By: dgaudet Class-Changed-When: Mon Dec 8 15:39:11 PST 1997 Severity-Changed-From-To: serious-non-critical Severity-Changed-By: dgaudet Severity-Changed-When: Mon Dec 8 15:39:11 PST 1997 Category-Changed-From-To: mod_auth-any-mod_access Category-Changed-By: dgaudet Category-Changed-When: Mon Dec 8 15:39:11 PST 1997 From: Marc Slemko To: Samuli Kärkkäinen Cc: apbugs@hyperreal.org Subject: Re: mod_auth-any/1534: 'allow from' only allows access when given ip addresses, subnet arguments (a.b.c.d/x) refuse access Date: Wed, 10 Dec 1997 20:47:15 -0700 (MST) On 8 Dec 1997, Samuli K=E4rkk=E4inen wrote: > >Description: > My domain is using the so called "reverse kludge" for reverse DNS. I beli= eve > this is causing 'allow from' directive to accept only some forms of defin= ing > client address. Full configuration can be seen at > http://www.kelloseppakoulu.fi:8888/. That URL maps to the configuration > directory of that server. The configuration is very close to the > example configuration that comes with apache distribution. With that > configuration access is allowed from everywhere, as it should. >=20 > The following discussion applies to our domain (which, as mentioned, uses > reverse kludge for reverse DNS). If I replace 'allow from all' with > allow from 194.100.26.178 > which is the address of my computer in that LAN, I am correctly given acc= ess. > If I replace it with > allow from 194.100.26.128/26 > or > allow from kelloseppakoulu.fi > or > allow from .fi > all of which should grant access to all hosts in our domain, no host in o= ur > domain is given access. In addition to what Dean said about the / notation not being implemented in 1.2, the reason why kelloseppakoulu.fi doesn't work is probably because your machines aren't configured to return full hostnames. If you try to access the web server from a machine that should be allowed access, what is recorded in the access log for the hostname? If it is an IP, then you either don't have Apache setup to do name lookups or you don't have proper reverse. If it is a hostname without domain, then you have an /etc/hosts file or NIS setup that is being used instead of DNS. From: Samuli K{rkk{inen To: Marc Slemko Cc: apbugs@hyperreal.org Subject: Re: mod_auth-any/1534: 'allow from' only allows access when given ip addresses, subnet arguments (a.b.c.d/x) refuse access Date: Fri, 12 Dec 1997 14:16:07 +0200 (EET) > > >Description: > > My domain is using the so called "reverse kludge" for reverse DNS. I believe > > this is causing 'allow from' directive to accept only some forms of defining > > client address. Full configuration can be seen at > > http://www.kelloseppakoulu.fi:8888/. That URL maps to the configuration > > directory of that server. The configuration is very close to the > > example configuration that comes with apache distribution. With that > > configuration access is allowed from everywhere, as it should. > > > > The following discussion applies to our domain (which, as mentioned, uses > > reverse kludge for reverse DNS). If I replace 'allow from all' with > > allow from 194.100.26.178 > > which is the address of my computer in that LAN, I am correctly given access. > > If I replace it with > > allow from 194.100.26.128/26 > > or > > allow from kelloseppakoulu.fi > > or > > allow from .fi > > all of which should grant access to all hosts in our domain, no host in our > > domain is given access. > > In addition to what Dean said about the / notation not being implemented > in 1.2, the reason why kelloseppakoulu.fi doesn't work is probably because > your machines aren't configured to return full hostnames. > > If you try to access the web server from a machine that should be allowed > access, what is recorded in the access log for the hostname? If it is an > IP, then you either don't have Apache setup to do name lookups or you > don't have proper reverse. If it is a hostname without domain, then you > have an /etc/hosts file or NIS setup that is being used instead of DNS. We are using DNS. /etc/hosts has only localhost. We don't have proper reverse. That's because the resolver we are using, the one that is in Linux libc-5.3.12, doesn't handle the reverse kludge correctly, and under most circumstanes can't resolve the reverse addresses. So that's why 'allow from kelloseppakoulu.fi' doesn't work, obviously. 'allow from 194.100.26.178' works as mentioned, and 'allow from x.y.z.w/n' syntax doesn't exist. I'm assuming 'allow from x.y.x.w/255.255.255.0' type syntax doesn't exist either - at least it doesn't work for me in our domain (always denies access). Btw, if someone can tell me how to compile the resolver to work with the reverse kludge, I'd be grateful. -- Samuli Kärkkäinen - http://www.iki.fi/~sak - PGP 512/3FDD5441 State-Changed-From-To: analyzed-closed State-Changed-By: dgaudet State-Changed-When: Sat Dec 13 17:08:14 PST 1997 State-Changed-Why: The mod_access documentation has been updated to indicate that the a.b.c.d/x syntaxes only work in 1.3 and later. As for the resolving problems, you should probably try asking in a linux specific mailing list or newsgroups. Thanks for using Apache. Dean >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]