For easy allow or disallowing of dynamic IP-adresses you can add them as a hostname in a .htaccess file.
As I have read from:
.htaccess allow from hostname?
it does a reverse lookup on the
connecting ip address, seeing if the
response matches the allowed name.(Well, actually Apache is doing a
double lookup, first a reverse lookup
and then a forward lookup on the
result of the reverse.)
This is the reason we are currently not using dynamic-ip hostnames in the .htaccess: this "sounds" quite heavy: 2 extra lookups for every request.
- Is this indeed quite heavy, and would a reasonably busy server that is rather looking for less then more load get away with this :)? (e.g.: how does this 'load' compare to the rest? If a request is 1000 times more expensive then the lookups it might be negligible. otoh, it could be that final straw 🙂 )
- Are there other solutions? I can write a script that does a lookup of the hostname and put it in .htaccess files ofcourse, but this feels a bit like a hack.
Best Answer
Just using .htaccess itself is a performance-killer. When AllowOverrides is on in any fashion in the Apache global config, httpd has to look for a .htaccess file at every directory level of the URI on every request, in case there is something there it needs to read. This amounts to a lot of extra lstat() calls that add latency and increase the amount of work the server has to do. Maybe you're stuck with .htaccess because of a shared hosting setup, but then you can't really get "high performance" anyway... ;)
Setting aside that DNS isn't the greatest indicator, what is your goal in disallowing "dynamic" IP addresses? This would be something better suited to an application firewall-- something sitting in front of your Apache server(s) doing the IP inspection, possibly by checking a blacklist, possibly using a local DNS resolver.