As suggested by Marc Slemko, document the double reverse

effect of Allow/Deny.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100878 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 10 insertions, 6 deletions

diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml
index 51069dde4d..9979548647 100644
--- a/docs/manual/mod/mod_authz_host.xml
+++ b/docs/manual/mod/mod_authz_host.xml
@@ -82,12 +82,16 @@ server</description>
       </example>
       <p>Hosts whose names match, or end in, this string are allowed
       access. Only complete components are matched, so the above
-      example will match <code>foo.apache.org</code> but it will
-      not match <code>fooapache.org</code>. This configuration will
-      cause the server to perform a reverse DNS lookup on the
-      client IP address, regardless of the setting of the <directive
-      module="core">HostnameLookups</directive>
-      directive.</p></dd>
+      example will match <code>foo.apache.org</code> but it will not
+      match <code>fooapache.org</code>. This configuration will cause
+      Apache to perform a double reverse DNS lookup on the client IP
+      address, regardless of the setting of the <directive
+      module="core">HostnameLookups</directive> directive.  It will do
+      a reverse DNS lookup on the IP address to find the associated
+      hostname, and then do a forward lookup on the hostname to assure
+      that it matches the original IP address.  Only if the forward
+      and reverse DNS are consistent and the hostname matches will
+      access be allowed.</p></dd>
 
       <dt>A full IP address</dt>