From 955e9b35a34848531e85ee6743bdf4dbc1767b8b Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Mon, 21 Oct 2013 14:43:02 -0600 Subject: [PATCH] Ticket #434 admin-serv logs filling with "admserv_host_ip_check: ap_get_remote_host could not resolve " https://fedorahosted.org/389/ticket/434 Reviewed by: ??? Branch: master Fix Description: Only warn once per process, and give the admin more information about what the problem is and what to do about it. Also added more debugging for access control, and turned down the verbosity of some of the other messages. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no --- mod_admserv/mod_admserv.c | 25 +++++++++++++++++++++---- 1 files changed, 21 insertions(+), 4 deletions(-) diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c index d6d2e19..d104538 100644 --- a/mod_admserv/mod_admserv.c +++ b/mod_admserv/mod_admserv.c @@ -2013,6 +2013,7 @@ admserv_host_ip_check(request_rec *r) char * clientIP = r->connection->remote_ip; #endif char *msg; + static int warned = 0; if (clientIP) { } else { @@ -2036,8 +2037,15 @@ admserv_host_ip_check(request_rec *r) } } else { PRNetAddr addr; - ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, - "admserv_host_ip_check: ap_get_remote_host could not resolve %s", clientIP); + if (!warned) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "admserv_host_ip_check: Access control based on hostname [%s] is being used, " + "but the server could not resolve the hostname of client IP address [%s]. Either " + "enable HostnameLookups in console.conf (by default it is off for performance reasons), " + "or turn off access control by host/domain name and use access control by IP address only.", + accessHosts, clientIP); + warned = 1; /* warn only once per process */ + } if (PR_SUCCESS == PR_StringToNetAddr(clientIP, &addr)) { char buf[PR_NETDB_BUF_SIZE]; PRHostEnt hEntry; @@ -2045,16 +2053,19 @@ admserv_host_ip_check(request_rec *r) if (APR_SUCCESS != admserv_match_list(apr_pstrdup(r->pool, accessHosts), hEntry.h_name, matchflags)) { char ** x; - ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "admserv_host_ip_check: host [%s] did not match pattern [%s] -" "will scan aliases", hEntry.h_name, accessHosts); for (x = hEntry.h_aliases; x && *x; x++) { if (APR_SUCCESS != admserv_match_list(apr_pstrdup(r->pool, accessHosts), *x, matchflags)) { - ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "admserv_host_ip_check: host alias [%s] did not match pattern [%s]", *x, accessHosts); } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "admserv_host_ip_check: host alias [%s] matched pattern [%s] - access allowed", + *x, accessHosts); return DECLINED; } } @@ -2077,7 +2088,13 @@ admserv_host_ip_check(request_rec *r) int matchflags = APR_FNM_PERIOD; apr_status_t rc = admserv_match_list(apr_pstrdup(r->pool, accessAddresses), clientIP, matchflags); if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "admserv_host_ip_check: client IP address [%s] did not match pattern [%s] - access denied", + clientIP, accessAddresses); } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "admserv_host_ip_check: client IP address [%s] matched pattern [%s] - access allowed", + clientIP, accessAddresses); return DECLINED; } } -- 1.7.1