Aw: Re: X-Forward-For in ssl_access_log / apache behind WAF

"Morel Mosolff" <marcus0049@xxxxxx> · Fri, 6 Oct 2017 08:49:28 +0200

Hi Yann
unfortunately that makes no difference.

It don't works even if I only try to block one ip-address like this: SetEnvIf Remote_Addr "1\.2\.3\.1" wav
but the output is slighly different (see below)

        LogFormat "%l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog "logs/ssl_access_log" combined env=!forwarded
        CustomLog "logs/ssl_access_log" proxy env=forwarded
        SetEnvIf Remote_Addr "1\.2\.3\.1" wav
        CustomLog "logs/ssl_access_log" proxy env=!waf

before (deny two ip's):
10.1.2.1 - - [06/Oct/2017:08:37:12 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:13 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:17 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:18 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:22 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

after (deny one ip):
10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.1 - - [06/Oct/2017:08:37:32 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.2 - - [06/Oct/2017:08:37:33 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- 10.1.2.1 - - [06/Oct/2017:08:37:37 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

if I delete %h in the proxy definition I get:
10.1.2.2 - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:23 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.1 - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:27 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
10.1.2.22 - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"
- - - [06/Oct/2017:08:45:28 +0200] "HEAD / HTTP/1.0" 301 - "-" "-"

(one time the request ist logged with the ip and ontime without...:-(  )

best
m

> Gesendet: Donnerstag, 05. Oktober 2017 um 17:16 Uhr
> Von: "Yann Ylavic" <ylavic.dev@xxxxxxxxx>
> An: users@xxxxxxxxxxxxxxxx
> Betreff: Re:  X-Forward-For in ssl_access_log / apache behind WAF
>
> Hi,
> 
> On Thu, Oct 5, 2017 at 11:11 AM, Morel Mosolff <marcus0049@xxxxxx> wrote:
> >
> >         #part 2:
> >         SetEnvIf Remote_addr  ("1\.2\.3\.1"|"1\.2\.2\.2") waf
> >         CustomLog "logs/ssl_access_log" proxy env=!waf
> 
> Did you try without the quotes, for instance:
>    SetEnvIf Remote_addr ^(1\.2\.3\.1|1\.2\.2\.2)$ waf
> ?
> 
> Regards,
> Yann.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx