On Wed, Mar 22, 2017 at 2:53 PM, Andrei Ivanov <andrei.ivanov@xxxxxxxxx> wrote: > > Welcome back :-) Thanks ;) > > These expressions don't work anymore: Can't parse value expression : > Function 'PeerExtList' does not exist > > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}" > Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in > %{PeerExtList:2.5.29.17}" This is not what I proposed (according to the new patch), the above works only with first/initial (now obsolete) patch. For the "Client-SAN" header, it fails because "%{PeerExtList:2.5.29.17}" is a list and it can't be evaluated in a string context (like mod_headers' expr= context). A string context is what's allowed between the quotes in a full expression context (like a an <If>'s condition), but omitting/without the quotes... So same for the second, "'IP Address:'.%{REMOTE_ADDR}" is not valid in a string context, you'd have to use expr="IP Address:%{REMOTE_ADDR}" directly, but still the following "-in %{PeerExtList:2.5.29.17}" isn't valid either (no condition evaluated in a string context...). That's why my latest patch introduces "%{: <any expression> :}" (note the leading and trailing colons), so you should be able to: Header set Expr1 "expr=%{: 'IP Address:%{REMOTE_ADDR}' -in PeerExtList('2.5.29.17') :}" but still the above is "false" (my patch also evaluates the conditions into the strings "true"/"false"). This is because 'IP Address:%{REMOTE_ADDR}' is only a part of the first entry of PeerExtList('2.5.29.17') (which could be expressed literally as {'email:<redacted1>, email:<redacted2>, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44'}), not an entry on its own (like in {'email:<redacted1>', 'email:<redacted2>', 'IP Address:127.0.0.1', 'IP Address:0:0:0:0:0:0:0:1', 'IP Address:159.107.78.131', 'IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44'}). So we need to be able to split a list but applying a regular expression on all of its entries and creating a new list with the capture(s). That's the new "split/<match>/<substitute>/" operator, which will walk all the list's entries (actually the first and only one in the PeerExtList('2.5.29.17') case) and split them into a new list where <match>ed, i.e. keep only what's before (hence also after by progress on the next <match>) and <substitute>d if not empty. All in one, this gives: Header set Expr1 "expr=%{: %{REMOTE_ADDR} -in (PeerExtList('subjectAltName') =~ split/.*?IP Address:([^,]+)/$1/) :}" Where we create an %{: expression :} context where we can search for %{REMOTE_ADDR} -in PeerExtList('subjectAltName') splitted on ".*?IP Address:([^,]+)" (i.e. skip anything before and including 'IP Address:' to keep only what follows until the next comma: the IP!). This one should return "true"... > > I've modified this one to use the "normal" method syntax, hoping that would > work: > > <If "%{PeerExtList('2.5.29.17') =~ /%{REMOTE_ADDR}/"> > Header set matched-dynamic true > </If> Likewise, %{REMOTE_ADDR} cannot be evaluated at init time (when the regular expression is compiled), thus the failure. But: <If "%{REMOTE_ADDR} -in (PeerExtList('subjectAltName') =~ split/.*?IP Address:([^,]+)/$1/)"> Header set matched-dynamic true </If> should work... Regards, Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx