httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Use Allow from IP when there is a proxy exist?
Date Fri, 08 Aug 2014 13:20:50 GMT
On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>
>> Your .htaccess file:
>> # ALLOW USER BY IP
>> order deny,allow
>> deny from all
>> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
>> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP
>> Allow from env=AllowIP
>> allow from 1.2.3.4
>> allow from 5.6.7.8source:
>> http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish
>>
> Looks sane to me although don't see the need for the last 2 allow since they
> are already included by the previous "Allow from env=AllowIP". You can also
> use regexp like:
>
> SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP
>

Looks insane to me. If squid is setting X-Forwarded-For and you trust
squid, use mod_remoteip or mod_rpaf2 so that apache knows the real
client address and will use it in authentication and logging.

Using string matching, or even worse, regexp matching on
X-Forwarded-For is a mistake as it is error prone - you must specify
your authentication as a string or regexp, not as it's native type -
and worse it is potentially malicious as squid does not scrub
X-Forwarded-For, it appends to it, making your simple string match
easily exploitable.

mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow
you to specify which hosts you trust to add X-Forwarded-For, and they
interpret the X-Forwarded-For correctly as an IP address, allowing you
to specify your configuration in it's natural form.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message