On Fri, Oct 09, 2015 at 01:36:57PM +0300, Jarno Huuskonen wrote: > Hi, > > On Fri, Oct 09, Sébastien LECOMTE wrote: > [...] > > acl allowed_clients hdr_sub(X-Real-IP) 10.10.200.0/24 > > 213.200.107.128/25 213.254.248.96/27 62.72.112.128/28 84.199.92.128/26 > > 91.237.72.4 > > [...] > > > http-request allow if private_domain allowed_clients > > http-request deny if private_domain !allowed_clients > > http-request allow if public_domain > > AFAIK hdr_sub(X-Real-IP) returns a string (for example 10.10.200.66) > and you're comparing it to string 10.10.200.0/24 ?
Ah excellent catch, I didn't notice either and was about to try to reproduce the issue! > Maybe req.hdr_ip would work better ? Definitely it should. An alternate solution for other situations where there is no "_ip" equivalent is to force the match to apply on IP addresses using "-m ip". Example : acl allowed_clients hdr(X-Real-IP) -m ip 10.10.200.0/24 213.200.107.128/25 213.254.248.96/27 62.72.112.128/28 84.199.92.128/26 91.237.72.4 This results in converting the input sample from its current type (here string) to an IP address and then to perform an IP address match against IP networks provided as patterns. Regards, Willy