[ale] apache question.. slightly OT

Michael Barker mbarker68 at home.com
Mon Sep 10 23:16:44 EDT 2001


greg at turnstep.com wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > The Web site is behind a corporate firewall.  I get about
> > 1500 hits a day.... not much. If I keep adding subnets to the
> > allow from in the apache httpd.conf file, at what point will
> > apache complain that there are too many?  10?, 15? 20?
> 
> One data point I can give you is that I have had 443 entries
> in a deny table before with no noticeable performance hit.
> I don't think 20 or even 100 will be a problem. As far as a
> limit before apache complains, I don't think there is one
> to really speak of. From looking at the source (nice to be
> able to do that!) it appears that the access list is stuck into
> a linked list. So this gets loaded into memory at startup
> time and then searched each time (doesn't seem to be
> optimized though, although I could be wrong*) The only
> limit there is is running out of memory (not likely as we're
> storing IP numbers here, not works of Shakesepare) or running
> up against the value of "int" on your machine. Which should be
> more than enough. :) For those interested, take a look at
> src/modules/standard/mod_access.c to check out where apache
> actually creates and checks the access/deny lists.
> 
> * I suppose the optimization could be said to be left to the
> writer of the httpd.conf file, by arranging the most commonly
> used IPs first, so it will be found quicker during the linked
> list traversal.
> 
> The bottom line is, I would not worry about it until you hit
> perhaps a 1000 entries. I'd test with 'ab' and see if it mattered
> then - I suspect not. One small suggestion I can give is to make
> each IP it's own Allow line, just so the httpd.conf file
> is easier to maintain.
> 
> Greg Sabino Mullane
> greg at turnstep.com
> PGP Key: 0x14964AC8 200109102101
> 
> -----BEGIN PGP SIGNATURE-----
> Comment: http://www.turnstep.com/pgp.html
> 
> iQA/AwUBO51j7LybkGcUlkrIEQJGPQCfZQGtyZEynGcftLYz2Q9XY4O5hhwAniLi
> szNkfIZJDX6guUuhE40mWyJt
> =Dmff
> -----END PGP SIGNATURE-----
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

If greg at turnstep.com has solved your problem then this is merely my two
cents.  My concern was if you specify thing.com can anyone gain access
with anything.com.  Thanks to greg at turnstep.com in pointing out where to
look at the source, the comments in the section on subdomain checking
states:

	/* Make sure we matched an *entire* subdomain --- if the user
	 * said 'allow from good.com', we don't want people from nogood.com
	 * to be able to get in.
	 */

then if you decide to go that route you should be safe.

Cheers

Michael
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list