пт, 21 мар. 2025 г. в 16:02, Christopher Schultz <ch...@christopherschultz.net>:
>
> All,
>
> Is there a way to load a bunch of allow or deny hosts from a file or
> other data-store? I have several dozen CIDR expressions and they will
> need to change periodically, so it would be more convenient if I could
> load them from at least a file on the disk and clean-up my config a bit.
>
> I suppose I could
>
>      Include my-allows.conf
>      Include my-denies.conf
>
> And then use awk/sed/whatever to convert the lists of hosts into "Allow
> from [host]" and "Deny from [host]" but less tooling would be more
> convenient, of course.

Hi, Chris!

1. "Allow from ... " and "Deny from ... " (provided by
mod_access_compat) are deprecated
and replaced by "Require ip" (from mod_authz_host).

https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
https://httpd.apache.org/docs/2.4/upgrading.html#run-time

2. If you go on with "Require", it is possible to use expressions there:

https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html
"Since v2.4.8, expressions are supported within the host require directives."

Expressions allow use of functions, such as "file".
https://httpd.apache.org/docs/2.4/expr.html

I have a configuration where I use this approach with the "Require
user" directive. It works, but I have not tested how well this scales
up. This looks like the following:

"%{file:${SRVROOT}/path/to/file.ext}"
where SRVROOT is set with a "Define" directive.

The file function is implemented here:
https://github.com/apache/httpd/blob/2.4.x/server/util_expr_eval.c#L1105

My understanding is that the file should be a single line, no longer
than MAX_FILE_SIZE that is defined there as 10 Mb.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to