Hi,
This question was previously sent to StackOverflow (ID 57206362), but
I believe it belongs here more than there.
We are using this kind of configuration to grant access to one of our
sites (here with RFC1918 CIDR ranges as an example, but you may
imagine different restrictions using public IP addresses)
<LocationMatch "/*">
Order deny,allow
Deny from all
Allow from 127.0.0.0/8
SetEnvIf X-Forwarded-For "(,| |^)192\.168\." WhiteIP
SetEnvIf X-Forwarded-For "(,| |^)172\.(1[6-9]|2\d|3[0-1])\." WhiteIP
SetEnvIf X-Forwarded-For "(,| |^)10\." WhiteIP
Allow from env=WhiteIP
</LocationMatch>
Indeed, there is another reverse proxy in front of this Apache server
so all clients will have the header, and all Source IP address would
be the same, thus disabling the possible usr of Allow/Deny IP
directives.
Problem is sometimes client have others proxies on their side and the
X-Forwarded-For Header will be either duplicated or concatenated. We
handle the concatenation correctly with the (,| |^) regexp trick, but
the problem is that Apache seems to run the SetEnvIf only against the
first occurrence of the Header.
Documentation is unclear to me about this behavior. Any idea on how to
handle this kind of case ? (note: we cannot control how our reverse
proxy works, only Apache) Could that be qualified as a bug ? Searching
through this mailing list archives led to interesting threads, but
nothing like this exact topic.
Precision : CentOS 6, Apache 2.2.15 latest patch version
Maxime Véroone
Omnicommerce Operations
Capensis SA on behalf of Decathlon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|