On 08/08/2014 11:21 PM, "Tom Evans" <tevans.uk@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
> >
> >> Your .htaccess file:
> >> # ALLOW USER BY IP
> >> order deny,allow
> >> deny from all
> >> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
> >> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP
> >> Allow from env=AllowIP
> >> allow from 1.2.3.4
> >> allow from 5.6.7.8source:
> >> http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish
> >>
> > Looks sane to me although don't see the need for the last 2 allow since they
> > are already included by the previous "Allow from env=AllowIP". You can also
> > use regexp like:
> >
> > SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP
> >
>
> Looks insane to me. If squid is setting X-Forwarded-For and you trust
> squid, use mod_remoteip or mod_rpaf2 so that apache knows the real
> client address and will use it in authentication and logging.
>
> Using string matching, or even worse, regexp matching on
> X-Forwarded-For is a mistake as it is error prone - you must specify
> your authentication as a string or regexp, not as it's native type -
> and worse it is potentially malicious as squid does not scrub
> X-Forwarded-For, it appends to it, making your simple string match
> easily exploitable.
>
Not if you use "forward-for truncate"
> mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow
> you to specify which hosts you trust to add X-Forwarded-For, and they
> interpret the X-Forwarded-For correctly as an IP address, allowing you
> to specify your configuration in it's natural form.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
|