On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <icici...@gmail.com> wrote: > >> Your .htaccess file: >> # ALLOW USER BY IP >> order deny,allow >> deny from all >> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP >> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP >> Allow from env=AllowIP >> allow from 1.2.3.4 >> allow from 5.6.7.8source: >> http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish >> > Looks sane to me although don't see the need for the last 2 allow since they > are already included by the previous "Allow from env=AllowIP". You can also > use regexp like: > > SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP >
Looks insane to me. If squid is setting X-Forwarded-For and you trust squid, use mod_remoteip or mod_rpaf2 so that apache knows the real client address and will use it in authentication and logging. Using string matching, or even worse, regexp matching on X-Forwarded-For is a mistake as it is error prone - you must specify your authentication as a string or regexp, not as it's native type - and worse it is potentially malicious as squid does not scrub X-Forwarded-For, it appends to it, making your simple string match easily exploitable. mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow you to specify which hosts you trust to add X-Forwarded-For, and they interpret the X-Forwarded-For correctly as an IP address, allowing you to specify your configuration in it's natural form. Cheers Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
