On Wed, Oct 23, 2019 at 01:25:57PM +0200, Maxime VEROONE wrote: > Hi, > > This question was previously sent to StackOverflow (ID 57206362), but > I believe it belongs here more than there. > > We are using this kind of configuration to grant access to one of our > sites (here with RFC1918 CIDR ranges as an example, but you may > imagine different restrictions using public IP addresses) > > <LocationMatch "/*"> > Order deny,allow > Deny from all > Allow from 127.0.0.0/8 > SetEnvIf X-Forwarded-For "(,| |^)192\.168\." WhiteIP > SetEnvIf X-Forwarded-For "(,| |^)172\.(1[6-9]|2\d|3[0-1])\." WhiteIP > SetEnvIf X-Forwarded-For "(,| |^)10\." WhiteIP > Allow from env=WhiteIP > </LocationMatch> > Just out of curiosity, where is this documented? Ruben > Indeed, there is another reverse proxy in front of this Apache server > so all clients will have the header, and all Source IP address would > be the same, thus disabling the possible usr of Allow/Deny IP > directives. > > Problem is sometimes client have others proxies on their side and the > X-Forwarded-For Header will be either duplicated or concatenated. We > handle the concatenation correctly with the (,| |^) regexp trick, but > the problem is that Apache seems to run the SetEnvIf only against the > first occurrence of the Header. > > Documentation is unclear to me about this behavior. Any idea on how to > handle this kind of case ? (note: we cannot control how our reverse > proxy works, only Apache) Could that be qualified as a bug ? Searching > through this mailing list archives led to interesting threads, but > nothing like this exact topic. > > Precision : CentOS 6, Apache 2.2.15 latest patch version > > Maxime V??roone > Omnicommerce Operations > Capensis SA on behalf of Decathlon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx