Hi, This question was previously sent to StackOverflow (ID 57206362), but I believe it belongs here more than there. We are using this kind of configuration to grant access to one of our sites (here with RFC1918 CIDR ranges as an example, but you may imagine different restrictions using public IP addresses) <LocationMatch "/*"> Order deny,allow Deny from all Allow from 127.0.0.0/8 SetEnvIf X-Forwarded-For "(,| |^)192\.168\." WhiteIP SetEnvIf X-Forwarded-For "(,| |^)172\.(1[6-9]|2\d|3[0-1])\." WhiteIP SetEnvIf X-Forwarded-For "(,| |^)10\." WhiteIP Allow from env=WhiteIP </LocationMatch> Indeed, there is another reverse proxy in front of this Apache server so all clients will have the header, and all Source IP address would be the same, thus disabling the possible usr of Allow/Deny IP directives. Problem is sometimes client have others proxies on their side and the X-Forwarded-For Header will be either duplicated or concatenated. We handle the concatenation correctly with the (,| |^) regexp trick, but the problem is that Apache seems to run the SetEnvIf only against the first occurrence of the Header. Documentation is unclear to me about this behavior. Any idea on how to handle this kind of case ? (note: we cannot control how our reverse proxy works, only Apache) Could that be qualified as a bug ? Searching through this mailing list archives led to interesting threads, but nothing like this exact topic. Precision : CentOS 6, Apache 2.2.15 latest patch version Maxime Véroone Omnicommerce Operations Capensis SA on behalf of Decathlon --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx