X-Forwarded-For and If directive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am certain I'm missing something important about the <If> directive and the -ipmatch operator when used in conjunction with %{HTTP:X-Forwarded-For}.
Please permit me to illustrate the problem by way of example:
<If "%{HTTP:X-Forwarded-For} -ipmatch '10.0.0.0/8'">
    LogMessage "Got IP match [%{HTTP:X-Forwarded-For}]"
</If>
<Else>
   LogMessage "No IP match [%{HTTP:X-Forwarded-For}]"
</Else>
produces the following log output:
[Wed Sep 04 17:57:03.611095 2019] [log_debug:info] [pid 11134] [client 10.128.10.9:53515] No IP match [10.128.10.9]
Clearly X-Forwarded-For has the value '10.128.10.9', which is certainly within the 10.0.0.0/8 CIDR.
So I say to myself "Well, maybe -ipmatch doesn't really like a CIDR, despite what the documentation appears to say".
<If "%{HTTP:X-Forwarded-For} -ipmatch '10.128.10.9'">
    LogMessage "Got explicit IP match [%{HTTP:X-Forwarded-For}]"
</If>
<Else>
   LogMessage "No explicit IP match [%{HTTP:X-Forwarded-For}]"
</Else>
This produces the log message:
[Wed Sep 04 17:57:03.611108 2019] [log_debug:info] [pid 11134] [client 10.128.10.9:53515] No explicit IP match [10.128.10.9]
So with X-Forwarded-For clearly containing the value 10.128.10.9, I cannot match 10.0.0.0/8 or 10.128.10.9 with -ipmatch.
Maybe -ipmatch doesn't work?
<If "'10.128.10.9' -ipmatch '10.0.0.0/8'">
   LogMessage "Got dummy IP match"
</If>
<Else>
  LogMessage "Failed dummy IP match"
</Else>
produces the following log message:
[Wed Sep 04 17:57:03.611112 2019] [log_debug:info] [pid 11134] [client 10.128.10.9:53515] Got dummy IP match

So it appears there's something pathological about %{HTTP:X-Forwarded-For}, but I can't help but observe that it prints as I expect it to in the LogMessage output.
Here's another example:
<If "%{HTTP:X-Forwarded-For} == '10.128.10.9' ">
  LogMessage "Got string IP match [%{HTTP:X-Forwarded-For}]"
</If>
<Else>
  LogMessage "Got no string IP match %{HTTP:X-Forwarded-For}"
</Else>
yields
[Wed Sep 04 17:57:03.611117 2019] [log_debug:info] [pid 11134] [client 10.128.10.9:53515] Got no string IP match 10.128.10.9
I'm convinced there's something subtle I'm overlooking, and would be very grateful for any suggestions.
Would some kind soul come to my rescue?
Thanks!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux