Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 42BDE11210 for ; Fri, 8 Aug 2014 13:21:20 +0000 (UTC) Received: (qmail 87094 invoked by uid 500); 8 Aug 2014 13:21:16 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 87061 invoked by uid 500); 8 Aug 2014 13:21:16 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 87050 invoked by uid 99); 8 Aug 2014 13:21:16 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 13:21:16 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tevans.uk@googlemail.com designates 209.85.213.176 as permitted sender) Received: from [209.85.213.176] (HELO mail-ig0-f176.google.com) (209.85.213.176) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Aug 2014 13:21:11 +0000 Received: by mail-ig0-f176.google.com with SMTP id hn18so991604igb.15 for ; Fri, 08 Aug 2014 06:20:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Bqbn1yxRQE8w/7mYqRVAVhX1S5uQMDqYgTYXP+/2/Q8=; b=ddpZ69T9s0zVGqjdjnDQPlv8AcHyffsWo9o0HoA/Epx5ZHGQS2VhgPnLzGds+2ftld rp+2vpHtjPLKCf25myX/wqj5eD+y2ZfkrG6w9bcYybhz3zNpvoAthYqP16ojbxzQFlpb WMUbF5OnZRn1WAJ8mfjB9DobA+QlOtuPV/epF/ccl9oMkS0Wc5dkgnKdXrqSZVVUL9NG 0wcPzQCyUzn5O1nF2TGvoChCX+cKcSDRcpVISSFaO5ST4L+oOEeGW8IClQzQUWqgWJ5S nfkyweiSv1nj7vmmo6fBKjuWjDUjb/SSf1KTNJ0Ilw6WhBkO/daRXHMgXF9VXyd9N9OU R18Q== MIME-Version: 1.0 X-Received: by 10.50.66.133 with SMTP id f5mr5072760igt.38.1407504050601; Fri, 08 Aug 2014 06:20:50 -0700 (PDT) Received: by 10.107.1.19 with HTTP; Fri, 8 Aug 2014 06:20:50 -0700 (PDT) In-Reply-To: References: Date: Fri, 8 Aug 2014 14:20:50 +0100 Message-ID: From: Tom Evans To: users@httpd.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Use Allow from IP when there is a proxy exist? On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov wrote: > >> Your .htaccess file: >> # ALLOW USER BY IP >> order deny,allow >> deny from all >> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP >> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP >> Allow from env=AllowIP >> allow from 1.2.3.4 >> allow from 5.6.7.8source: >> http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish >> > Looks sane to me although don't see the need for the last 2 allow since they > are already included by the previous "Allow from env=AllowIP". You can also > use regexp like: > > SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP > Looks insane to me. If squid is setting X-Forwarded-For and you trust squid, use mod_remoteip or mod_rpaf2 so that apache knows the real client address and will use it in authentication and logging. Using string matching, or even worse, regexp matching on X-Forwarded-For is a mistake as it is error prone - you must specify your authentication as a string or regexp, not as it's native type - and worse it is potentially malicious as squid does not scrub X-Forwarded-For, it appends to it, making your simple string match easily exploitable. mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow you to specify which hosts you trust to add X-Forwarded-For, and they interpret the X-Forwarded-For correctly as an IP address, allowing you to specify your configuration in it's natural form. Cheers Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org