Thanks Joshua for the Rewrite syntax, Wow, I didn't know you could achieve
what I want using Rewrite. I seriously need to give mod_rewrite some more
thorough study.
BTW, this logic is just to prevent casual script kiddies to get to a
certain login page. If the conditions below hold, then only they will see
the login page.
Just for my knowledge sake, I understand cookies can be faked,
X-Forwarded-For (as long as they know the Restricted IP) can be forced
into a header or through a dummy proxy. But that is the reason I have a
condition that X-Forwarded-For (could be a list of IPs seperated by ',')
should begin with that IP range. We have these new F5 in between before
the request gets to the web server and the remote address we see is of the
F5s and not the actual user. Hence I have to use X-Forwarded-For. In that
case, how can they get by ? Please I would like to know that.
We are still trying to figure out a way so that F5s would retain the
original IP and not act like a Proxy. The Radwares it replaced did not do
that.
regards
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
Jignesh Badani
"Joshua Slive" <[EMAIL PROTECTED]>
08/23/2006 07:06 PM
To
"Jignesh Badani" <[EMAIL PROTECTED]>
cc
Subject
Re: [EMAIL PROTECTED] Is this possible ?
On 8/23/06, Jignesh Badani <[EMAIL PROTECTED]> wrote:
> Awesome, just trying to understand the syntax of the last SetEnvIf:
>
> SetEnvIf let_10161_in ^0$ !let_xuser_in
>
> --> If the env variable let_10161_in is "0" - meaning the request is not
> from 10.161, unset (make it 0?) the let_xuser_in env variable ?
Basically, yes. Although "unset" and "set to 0" are not the same thing.
>
> And mod_rewrite for this, how ?
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^10\.161 [or]
RewriteCond %{HTTP:Cookie} !XSESSION
RewriteRule .* - [F]
By the way, you should be aware that both X-Forwarded-For and Cookie
can be faked by the browser, so they don't provide real security. In
particular, if the request already has an X-Forwarded-For header when
it passes through the proxy, the new IP address will be folded into
it. You can detect this situation by testing X-Forwarded-For for a
comma, which is the separator used for multiple IP addresses.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
