On Wed, Feb 22, 2017 at 5:10 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
> On Wed, Feb 22, 2017 at 3:19 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > On Wed, Feb 22, 2017 at 3:36 PM, Yann Ylavic <ylavic....@gmail.com>
> wrote:
> >>
> >> My bad, please try without the parentheses:
> >>
> >> Require expr "'IP Address:' . %{REMOTE_ADDR} -in
> >> PeerExtList('2.5.29.17')
> >
> > Did that too, Apache starts but the expression always returns false :-(
> >
> > And I can't find a way to debug it, to see what PeerExtList('2.5.29.17')
> > returns for my client certificate.
>
> My proposed patch (to be applied to 2.4.25) and:
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> does it.
>
I've managed to apply your patch and rebuild Apache and now I have:
Header set Client-IP "expr=%{REMOTE_ADDR}"
Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
Header set matched false
<If "%{REMOTE_ADDR} -in PeerExtList('2.5.29.17')">
Header set matched true
</If>
results:
Client-IP: 159.107.78.119
Client-SAN: email:<email1>, email:<email2>, IP Address:127.0.0.1, IP
Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.119, IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
Client-DN: CN=client-with-subjectAltName-with-IPs-4
matched: false
And with:
<Location />
Require expr "'IP Address:'.%{REMOTE_ADDR} -in PeerExtList('2.5.29.17')"
</Location>
I still get a 403 Forbidden :-(
AH01626: authorization result of Require expr "'IP Address:'.%{REMOTE_ADDR}
-in PeerExtList('2.5.29.17')": denied
What is wrong with it?
