Re: SentEnvIf and multiple X-Fowarded-For headers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Oct 23, 2019 at 01:25:57PM +0200, Maxime VEROONE wrote:
> Hi,
> 
> This question was previously sent to StackOverflow (ID 57206362), but
> I believe it belongs here more than there.
> 
> We are using this kind of configuration to grant access to one of our
> sites (here with RFC1918 CIDR ranges as an example, but you may
> imagine different restrictions using public IP addresses)
> 
>     <LocationMatch "/*">
>         Order deny,allow
>         Deny from all
>         Allow from 127.0.0.0/8
>         SetEnvIf X-Forwarded-For "(,| |^)192\.168\." WhiteIP
>         SetEnvIf X-Forwarded-For "(,| |^)172\.(1[6-9]|2\d|3[0-1])\." WhiteIP
>         SetEnvIf X-Forwarded-For "(,| |^)10\." WhiteIP
>         Allow from env=WhiteIP
>     </LocationMatch>
> 


Just out of curiosity, where is this documented?

Ruben

> Indeed, there is another reverse proxy in front of this Apache server
> so all clients will have the header, and all Source IP address would
> be the same, thus disabling the possible usr of Allow/Deny IP
> directives.
> 
> Problem is sometimes client have others proxies on their side and the
> X-Forwarded-For Header will be either duplicated or concatenated. We
> handle the concatenation correctly with the (,| |^) regexp trick, but
> the problem is that Apache seems to run the SetEnvIf only against the
> first occurrence of the Header.
> 
> Documentation is unclear to me about this behavior. Any idea on how to
> handle this kind of case ? (note: we cannot control how our reverse
> proxy works, only Apache) Could that be qualified as a bug ? Searching
> through this mailing list archives led to interesting threads, but
> nothing like this exact topic.
> 
> Precision : CentOS 6, Apache 2.2.15 latest patch version
> 
> Maxime V??roone
> Omnicommerce Operations
> Capensis SA on behalf of Decathlon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux