httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: [users@httpd] Use Allow from IP when there is a proxy exist?
Date Fri, 08 Aug 2014 13:20:50 GMT
On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <> wrote:
>> Your .htaccess file:
>> order deny,allow
>> deny from all
>> SetEnvIF X-Forwarded-For "" AllowIP
>> SetEnvIF X-Forwarded-For "" AllowIP
>> Allow from env=AllowIP
>> allow from
>> allow from
> Looks sane to me although don't see the need for the last 2 allow since they
> are already included by the previous "Allow from env=AllowIP". You can also
> use regexp like:
> SetEnvIF X-Forwarded-For "||7.8.9.[2-5]|3.4.5.[69]" AllowIP

Looks insane to me. If squid is setting X-Forwarded-For and you trust
squid, use mod_remoteip or mod_rpaf2 so that apache knows the real
client address and will use it in authentication and logging.

Using string matching, or even worse, regexp matching on
X-Forwarded-For is a mistake as it is error prone - you must specify
your authentication as a string or regexp, not as it's native type -
and worse it is potentially malicious as squid does not scrub
X-Forwarded-For, it appends to it, making your simple string match
easily exploitable.

mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow
you to specify which hosts you trust to add X-Forwarded-For, and they
interpret the X-Forwarded-For correctly as an IP address, allowing you
to specify your configuration in it's natural form.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message