On 08/08/2014 11:21 PM, "Tom Evans" <[email protected]> wrote: > > On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <[email protected]> wrote: > > > >> Your .htaccess file: > >> # ALLOW USER BY IP > >> order deny,allow > >> deny from all > >> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP > >> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP > >> Allow from env=AllowIP > >> allow from 1.2.3.4 > >> allow from 5.6.7.8source: > >> http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish > >> > > Looks sane to me although don't see the need for the last 2 allow since they > > are already included by the previous "Allow from env=AllowIP". You can also > > use regexp like: > > > > SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP > > > > Looks insane to me. If squid is setting X-Forwarded-For and you trust > squid, use mod_remoteip or mod_rpaf2 so that apache knows the real > client address and will use it in authentication and logging. > > Using string matching, or even worse, regexp matching on > X-Forwarded-For is a mistake as it is error prone - you must specify > your authentication as a string or regexp, not as it's native type - > and worse it is potentially malicious as squid does not scrub > X-Forwarded-For, it appends to it, making your simple string match > easily exploitable. >
Not if you use "forward-for truncate" > mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow > you to specify which hosts you trust to add X-Forwarded-For, and they > interpret the X-Forwarded-For correctly as an IP address, allowing you > to specify your configuration in it's natural form. > > Cheers > > Tom > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
