summaryrefslogtreecommitdiff
path: root/network/mod_hosts_access/README
blob: 2fab50ad9e03668cade9cad3ef833b3f1e33ec70 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
mod_hosts_access

This is a DSO (dynamically shared object) module for the Apache webserver
that uses libwrap (TCP Wrappers) to check if the connecting hosts is allowed.

This system works well with dynamic blocking scripts, such as DenyHosts, and
configfile distribution systems, such as Cfengine. Especially if other blocking
methods differ between hosts at a site (e.g. kernel-level firewalling means).

You'll need to add the following line to /etc/httpd/httpd.conf:
  Include /etc/httpd/mod_hosts_access.conf

LoadModule hosts_access_module lib/httpd/modules/mod_hosts_access.so

The /etc/hosts.{allow,deny} access control checking for the "httpd" service
can now be enabled or disabled on a per directory basis, by adding HostsAccess
directive to its declaration, e.g. again in /etc/httpd/httpd.conf:

# First, we configure the "default" to be a very restrictive set of
# permissions.
#
#<Directory />
#    HostsAccess On
#    Options FollowSymLinks
#    AllowOverride None
#</Directory>

To test, restart apache for it to load the module; edit /etc/hosts.allow
adding a line like the following:

httpd: localhost: deny

Access from 'localhost' (127.0.0.1) should now be disallowed, thus requesting
the index page should fail, to verify try: 

	lynx -dump localhost

The same can be done in a .htaccess file if AllowOverride Limit has been set.