From: dgaudet <dgaudet@unknown>
Date: Wed, 30 Jul 1997 18:41:47 +0000 (+0000)
Subject: mod_access overhaul.  Network/netmask and CIDR syntax.  Critical path
X-Git-Tag: APACHE_1_3b1~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb2e24c9dcdb3e6a850609fb156f0928940a6464;p=thirdparty%2Fapache%2Fhttpd.git

mod_access overhaul.  Network/netmask and CIDR syntax.  Critical path
speedups.  Forced double-reverse DNS.  Deprecate the "allow from
user-agents" syntax.  "HostnameLookups double" support.

PR:		762, 860
Reviewed by:	Paul Sutton, Marc Slemko (well he liked the double reverse part)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@78820 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/misc/compat_notes.html b/docs/manual/misc/compat_notes.html
index 2791054d21d..4543facc067 100644
--- a/docs/manual/misc/compat_notes.html
+++ b/docs/manual/misc/compat_notes.html
@@ -127,6 +127,11 @@ it added one automatically if the .asis file contained a Location header.
   <a href="../mod/core.html#errordocument"><code>ErrorDocument</code></a>
   instead.
 
+  <LI>Apache (as of 1.3) always performs the equivalent of
+  <CODE>HostnameLookups minimal</CODE>.  <code>minimal</code> is not an
+  option to <a href="../mod/core.html#hostnamelookups"><code>
+  HostnameLookups</code></a>.
+
 </OL>
 
 More to come when we notice them....
diff --git a/docs/manual/mod/core.html b/docs/manual/mod/core.html
index ace33d39c9d..c03d52b9403 100644
--- a/docs/manual/mod/core.html
+++ b/docs/manual/mod/core.html
@@ -575,16 +575,40 @@ considerations.<p><hr>
 
 <h2><A name="hostnamelookups">HostNameLookups directive</A></h2>
 <!--%plaintext &lt;?INDEX {\tt HostNameLookups} directive&gt; -->
-<strong>Syntax:</strong> HostNameLookups <em>boolean</em><br>
-<strong>Default:</strong> <code>HostNameLookups on</code><br>
+<strong>Syntax:</strong> HostNameLookups <em>on | off | double</em><br>
+<strong>Default:</strong> <code>HostNameLookups off</code><br>
 <strong>Context:</strong> server config, virtual host<br>
-<strong>Status:</strong> core<p>
-
-This directive enables DNS lookups so that host names can be logged.
-Having this directive set <code>on</code> also enables the use of names
-in &lt;Limit&gt; blocks for access control.<p>
-
-Heavily loaded sites should set this directive <code>off</code>, since DNS
+<strong>Status:</strong> core<br>
+<strong>Compatibility:</strong> <code>double</code> available only in Apache
+1.3 and above.<br>
+<strong>Compatibility:</strong> Default was <code>on</code> prior to Apache
+1.3.<p>
+
+This directive enables DNS lookups so that host names can be logged (and
+passed to CGIs/SSIs in <code>REMOTE_HOST</code>).
+The value <code>double</code> refers to doing double-reverse DNS.
+That is, after a reverse lookup is performed, a forward lookup is then
+performed on that result.  At least one of the ip addresses in the forward
+lookup must match the original address.  (In "tcpwrappers" terminology
+this is called <code>PARANOID</code>.)<p>
+
+Regardless of the setting, when <a href="mod_access.html">mod_access</a>
+is used for controlling access by hostname, a double reverse lookup
+will be performed.  This is necessary for security.  Note that the
+result of this double-reverse isn't generally available unless
+you set <code>HostnameLookups double</code>.  For example, if only
+<code>HostnameLookups on</code> and a request is made to an object that
+is protected by hostname restrictions, regardless of whether the
+double-reverse fails or not, CGIs will still be passed the single-reverse
+result in <code>REMOTE_HOST</code>.<p>
+
+The default for this directive was previously <code>on</code> in
+versions of Apache prior to 1.3.  It was changed to <code>off</code>
+in order to save the network traffic for those sites that don't truly
+need the reverse lookups done.  It is also better for the end users
+because they don't have to suffer the extra latency that a lookup
+entails.
+Heavily loaded sites should leave this directive <code>off</code>, since DNS
 lookups can take considerable amounts of time. The utility <i>logresolve</i>,
 provided in the <i>/support</i> directory, can be used to look up host names
 from logged IP addresses offline.<p><hr>
diff --git a/docs/manual/mod/mod_access.html b/docs/manual/mod/mod_access.html
index 92bb6407d2b..4f9ee76ca7f 100644
--- a/docs/manual/mod/mod_access.html
+++ b/docs/manual/mod/mod_access.html
@@ -53,6 +53,12 @@ The allow directive affects which hosts can access a given directory.
 <dd>An IP address of a host allowed access
 <dt>A partial IP address
 <dd>The first 1 to 3 bytes of an IP address, for subnet restriction.
+<dt>A network/netmask pair
+<dd>A network a.b.c.d, and a netmask w.x.y.z.  For more fine-grained subnet
+    restriction.  (i.e. 10.1.0.0/255.255.0.0)
+<dt>A network/nnn CIDR specification
+<dd>Similar to the previous case, except the netmask consists of nnn 
+    high-order 1 bits.  (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
 </dl>
 <P>
 Example:
@@ -121,6 +127,12 @@ The deny directive affects which hosts can access a given directory.
 <dd>An IP address of a host denied access
 <dt>A partial IP address
 <dd>The first 1 to 3 bytes of an IP address, for subnet restriction.
+<dt>A network/netmask pair
+<dd>A network a.b.c.d, and a netmask w.x.y.z.  For more fine-grained subnet
+    restriction.  (i.e. 10.1.0.0/255.255.0.0)
+<dt>A network/nnn CIDR specification
+<dd>Similar to the previous case, except the netmask consists of nnn 
+    high-order 1 bits.  (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
 </dl>
 <P>
 Example: