httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jignesh Badani <jbad...@mmsa.com>
Subject Re: [users@httpd] Is this possible ?
Date Thu, 24 Aug 2006 05:07:26 GMT
Thanks Joshua for the Rewrite syntax, Wow, I didn't know you could achieve 
what I want using Rewrite. I seriously need to give mod_rewrite some more 
thorough study.

BTW, this logic is just to prevent casual script kiddies to get to a 
certain login page. If the conditions below hold, then only they will see 
the login page.

Just for my knowledge sake, I understand cookies can be faked, 
X-Forwarded-For (as long as they know the Restricted IP) can be forced 
into a header or through a dummy proxy. But that is the reason I have a 
condition that X-Forwarded-For (could be a list of IPs seperated by ',') 
should begin with that IP range. We have these new F5 in between before 
the request gets to the web server and the remote address we see is of the 
F5s and not the actual user. Hence I have to use X-Forwarded-For. In that 
case, how can they get by ? Please I would like to know that.

We are still trying to figure out a way so that F5s would retain the 
original IP and not act like a Proxy. The Radwares it replaced did not do 
that.

regards
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - 
Jignesh Badani





"Joshua Slive" <jslive@gmail.com> 
08/23/2006 07:06 PM

To
"Jignesh Badani" <jbadani@mmsa.com>
cc

Subject
Re: [users@httpd] Is this possible ?






On 8/23/06, Jignesh Badani <jbadani@mmsa.com> wrote:
> Awesome, just trying to understand the syntax of the last SetEnvIf:
>
> SetEnvIf let_10161_in ^0$ !let_xuser_in
>
> --> If the env variable let_10161_in is "0" - meaning the request is not
> from 10.161, unset (make it 0?) the let_xuser_in env variable ?

Basically, yes.  Although "unset" and "set to 0" are not the same thing.

>
> And mod_rewrite for this, how ?

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^10\.161 [or]
RewriteCond %{HTTP:Cookie} !XSESSION
RewriteRule .* - [F]

By the way, you should be aware that both X-Forwarded-For and Cookie
can be faked by the browser, so they don't provide real security.  In
particular, if the request already has an X-Forwarded-For header when
it passes through the proxy, the new IP address will be folded into
it.  You can detect this situation by testing X-Forwarded-For for a
comma, which is the separator used for multiple IP addresses.

Joshua.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message