ConfigServer Community Forum

Chirpy,

I know the feature exists to have a centralized IP deny/allow list but what about having a clustered one?

For example, we host our servers on the same network. So what would be nice is if one server denies/allows an IP, the other servers pick up the IP and perform the same action.

It might sound easier on paper but certainly a noteworthy feature.

It s something we've looked at, and will do so again. There are some logistical issues to take care of with this type of feature.

Can't we do it with

# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour)
#
# You do not have to specify both an allow and a deny file
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
LF_GLOBAL = ""

If you'd still like to do this I might be able to build an php script to do it for you.

Not sure about others but I love the idea though not sure about accomplishing it with PHP personally

Maybe if a flag was added so that you could directly add an IP to the glob_allow or glob_deny lists as easily as you can with the normal allow/deny lists then a simple way to cluster the idea would be easier.

By this I mean something like:

csf -ga 123.123.123.123 (adds IP to global allow list and loads the new rule automatically)
csf -gd 124.124.124.124 (adds IP to global deny list and loads the new rule automatically)

Then a simple method to send those commands too all servers within the cluster arrangement, or to a master server and then have all slaves get the updated glob_allow or glob_deny file from the master server.