Configuring mod_access_dnsbl
Note that none of the following directives are merged. Specifically, when any directive provided by this module is used in a new configuration section, no directives provided by this module are inherited from previous configuration sections.
DNSBLOrder Directive
Description: | Controls the default access state and the order in which
DNSBLAllow and DNSBLDeny are
evaluated. |
---|---|
Syntax: | DNSBLOrder ordering |
Default: | DNSBLOrder Deny,Allow |
Context: | directory, .htaccess |
Override: | Limit |
Module: | mod_access_dnsbl |
The DNSBLOrder directive is entirely analogous to the order directive of the mod_access_compat module. It takes precisely the same three ordering values:
Allow,Deny
- First, all DNSBLAllow directives are evaluated; at least one must match, or the request is rejected. Next, all DNSBLDeny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match a DNSBLAllow or a DNSBLDeny directive are denied by default.
Deny,Allow
- First, all DNSBLDeny directives are evaluated; if any match, the request is denied unless it also matches an DNSBLAllow directive. Any requests which do not match any DNSBLAllow or DNSBLDeny directives are permitted.
Mutual-failure
- This has the same effect as
Allow,Deny
and is provided for backwards-compatibility both internally and with the mod_access_compat syntax. It is deprecated in newer configurations.
DNSBLAllow Directive
Description: | Controls which DNSBLs can give access to an area of the server |
---|---|
Syntax: | DNSBLAllow from dnsbl-zone
[dnsbl-zone] ... |
Context: | directory, .htaccess |
Override: | Limit |
Module: | mod_access_dnsbl |
The DNSBLAllow directive is similar to the Allow
directive of the mod_access_compat module. The first argument to
this directive is always from
. The next and optional
subsequent arguments must be DNSBL zones.
DNSBLDeny Directive
Description: | Controls which DNSBLs can deny access to an area of the server |
---|---|
Syntax: | DNSBLDeny from dnsbl-zone
[dnsbl-zone] ... |
Context: | directory, .htaccess |
Override: | Limit |
Module: | mod_access_dnsbl |
The DNSBLDeny directive is similar to the Deny
directive of the mod_access_compat module. The first argument to
this directive is always from
. The next and optional
subsequent arguments must be DNSBL zones.
DNSBLAddressType Directive
Description: | Explicitly determines which IP address to check for users behind proxies. |
---|---|
Syntax: | DNSBLAddressType client|useragent |
Default: | DNSBLAddressType useragent |
Context: | directory, .htaccess |
Override: | Limit |
Module: | mod_access_dnsbl |
Compatibility: | Available with Apache version 2.4.0 and later, mod_access_dnsbl version 0.02 and later. |
Prior to version 2.4 of Apache, the IP address of the user was always taken to be that of the previous HTTP hop such that for a user behind a proxy it was the address of the proxy which was used.
In version 2.4 mod_remoteip was introduced which allows us to use the IP address of the far end of the HTTP chain instead ie. the address of the useragent. To extend this flexibility further, mod_access_dnsbl now provides a facility for finer grained control over which address is interpreted as that of the user. This feature necessarily requires mod_remoteip to have any effect.
The directive takes only one argument which is the address
type and can be either client
meaning the proxy
or useragent
meaning the host behind the proxy
(the default).
Example configuration
By way of illustration here is an example configuration.
# Enable Lookups
DNSBLLookups On
# Set up some DNSBL zones
DNSBLZone abusers dnsbl.ahbl.org. any
DNSBLZone spammers sbl.spamhaus.org. any
# Protect some resource from a single list
<Directory /www/comments>
DNSBLDeny from spammers
</Directory>
# Protect another resource from both lists
<Directory /www/admin>
DNSBLDeny from abusers spammers
</Directory>
Notes on usage
Using this module to protect resources will necessarily result in the server performing an increased number of DNS lookups to the DNSBLs. The more of the web space it protects and the greater number of DNSBLs in use the greater the number of lookups will be which will delay the responses from the server. To mitigate the negative effects it is advisable only to protect those parts of the server which will actually benefit from it. This might be the cgi-bin, for example.
The other aspect to consider is the inherent speed of DNS resolution by the server. It is prudent to ensure that all of its configured resolvers respond and that they do so in a reasonable amount of time. Some servers may benefit from running a local caching-only resolver.
See also:
Copyright © Openstrike 2024