0

To restrict access to many (+100) vhosts, I use the statement Require forward-dns authorized-ips.mydomain.tld.
This allows me to easily manage adding and removing IP addresses via DNS in a simple and centralized way.

It has worked well for several years now.

Until recently, I was only using IPv4.
I would like to finally switch to a dual stack IPv4/IPv6 or even completely switch to IPv6.

The problem is that forward-dns performs strict comparisons with IPv6 addresses.
Is there a way to use the forward-dns instruction to compare a sub-network of IPv6 instead of a full address?

PS: I know it's possible to do this with Require ip 2001:db8:2:1::/64, but in this case, I would lose all the advantage of DNS-based management.

Improve this question

1 Answer 1

Reset to default
0

Now that NAT is no longer necessary, clients can have their own addresses for end to end communications. However that means more IPs than can fit in one name for Require forward-dns

If you control both forward and reverse DNS, its possible to do something like Require host .client.example.net Reverse DNS that ends with that label, and is validated by a forward lookup, can proceed.

You mentioned you do not like IP addresses in httpd config files. For completeness, they can be networks: Require ip 2001:db8:2:1::/64 Note the address space is big enough that a site can have as many /64s as they need, and each can fit as many hosts as you want. This only will be a reasonably short allow list if clients are naturally organized a relatively small number of subnets.

As mod_authz_host currently works, forward-dns and host are working on the full IP address, not nets. forward-dns allows multiple hosts from multiple IPs retrieved from that DNS name. host allows multiple through partial name matching. Explore what it would take to change the code to accommodate parsing a network from DNS. Maintain your own modifications to mod_authz_host or start a new module.

Include directive works in directory context. You can have a common file for each unique Require you use. Only need to update in one place.

IP address is not strong authentication. Users are not providing a credential, only IP headers which can be forged. IP allow lists can provide a sanity check against network traffic you do not expect. Any actual proof of user identity requires real auth, however.

Improve this answer
2
  • How does one easily spoof an IP address using a connection-oriented protocol like TCP? It’s still not strong Auth but not as weak as relying on IP directly.
    – Greg W
    Commented Oct 31 at 23:28
  • IP address is not a thing you have. The tie to identity is only as strong as the routing protocol, and BGP hijacking is a threat. Possibly forged IP headers aren't realistic, but there isn't really a defense at just the IP layer. As a part of a multiple tiered network protection an IP allow list can be useful to define expected source addresses. Not as auth.
    – John Mahowald
    Commented Nov 11 at 1:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .