You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ivan Belmonte <iv...@es.servidores.com> on 2005/01/27 16:18:56 UTC
[users@httpd] Allowing real ip address
Hi there all,
I'm new to this list. I need to prevent all IP except our local office one from accessing some websites.
I'm doing with next syntax:
<Directory /some/path>
Order Deny,Allow
Allow from 111.222.333.444,555.666.777.888
Deny from all
</Directory>
The problem is that 111.222.333.444 and 555.666.777.888 are Proxy Cache addressess, and there are lots of users browsing internet through them.
I need to block the REAL ip addresses. Is there any way to "Deny client real IP"?
Lots of thanks in advance.
----
Iván Belmonte
Director de sistemas
Servidores.com
Tel: +34 902 999 652 Ext. 121
Fax: +34 932 268 472
ibelmonte@servidores.com - http://www.servidores.com
Servidores.com es un servicio de Hostbin S.L.U
----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Ivan Belmonte <iv...@es.servidores.com>.
Joshua,
It's working right now. Man, yo're leet ;-)
Thousands of thanks to all of you!
----
Ivan Belmonte
Director de sistemas
Servidores.com
Tel: +34 902 999 652 Ext. 122
Fax: +34 932 268 472
ibelmonte@servidores.com - http://www.servidores.com
Servidores.com es un servicio de Hostbin S.L.U
----
On Thu, 27 Jan 2005 13:18:01 -0500
Joshua Slive <js...@gmail.com> wrote:
> On Thu, 27 Jan 2005 18:40:15 +0100, Ivan Belmonte
> <iv...@es.servidores.com> wrote:
> > I've just written a PHP script that shows me the whole header.
> >
> > HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR variables have the real ip value.
> > REMOTE_HOST and REMOTE_ADDRvariables have the proxy ip value.
> >
> > Yes, I can see the real IP into the header fields, but I'm trying to do it appear on logs, following this way:
> >
> > LogFormat "%{HTTP_CLIENT_IP}i %h %l %u %t \"%r\" %>s %b" common
> >
> > But it shows no address. Changing the first "i" for an "a" shows the proxy IP (is okay as it shows http://httpd.apache.org/docs/mod/mod_log_config.html).
> > So I think that Apache is not really reading my variables.
> >
> > How can I show that variables on my "common" logs, and how can I trap the value with SetEnvIf?
>
> The HTTP_ part is an indication that the variable comes from an HTTP
> request header; it is not part of the header itself. In addition,
> "-"s are converted into "_" when naming env variables. So the read
> HTTP header looks like "Client-IP" and you can use just ${CLIENT-IP}i
> for the logs.
>
> The same goes for SetEnvIf, so you should be able to use
> SetEnvIf Client-IP ^123\.456\.789\.123$ goodip
> Order Deny,Allow
> Deny from all
> Allow from env=goodip
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Joshua Slive <js...@gmail.com>.
On Thu, 27 Jan 2005 18:40:15 +0100, Ivan Belmonte
<iv...@es.servidores.com> wrote:
> I've just written a PHP script that shows me the whole header.
>
> HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR variables have the real ip value.
> REMOTE_HOST and REMOTE_ADDRvariables have the proxy ip value.
>
> Yes, I can see the real IP into the header fields, but I'm trying to do it appear on logs, following this way:
>
> LogFormat "%{HTTP_CLIENT_IP}i %h %l %u %t \"%r\" %>s %b" common
>
> But it shows no address. Changing the first "i" for an "a" shows the proxy IP (is okay as it shows http://httpd.apache.org/docs/mod/mod_log_config.html).
> So I think that Apache is not really reading my variables.
>
> How can I show that variables on my "common" logs, and how can I trap the value with SetEnvIf?
The HTTP_ part is an indication that the variable comes from an HTTP
request header; it is not part of the header itself. In addition,
"-"s are converted into "_" when naming env variables. So the read
HTTP header looks like "Client-IP" and you can use just ${CLIENT-IP}i
for the logs.
The same goes for SetEnvIf, so you should be able to use
SetEnvIf Client-IP ^123\.456\.789\.123$ goodip
Order Deny,Allow
Deny from all
Allow from env=goodip
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Ivan Belmonte <iv...@es.servidores.com>.
I've just written a PHP script that shows me the whole header.
HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR variables have the real ip value.
REMOTE_HOST and REMOTE_ADDRvariables have the proxy ip value.
Yes, I can see the real IP into the header fields, but I'm trying to do it appear on logs, following this way:
LogFormat "%{HTTP_CLIENT_IP}i %h %l %u %t \"%r\" %>s %b" common
But it shows no address. Changing the first "i" for an "a" shows the proxy IP (is okay as it shows http://httpd.apache.org/docs/mod/mod_log_config.html).
So I think that Apache is not really reading my variables.
How can I show that variables on my "common" logs, and how can I trap the value with SetEnvIf?
Thanks for your time and attention
----
Iván Belmonte
Director de sistemas
Servidores.com
Tel: +34 902 999 652 Ext. 121
Fax: +34 932 268 472
ibelmonte@servidores.com - http://www.servidores.com
Servidores.com es un servicio de Hostbin S.L.U
----
On Thu, 27 Jan 2005 10:23:41 -0500
Joshua Slive <js...@gmail.com> wrote:
> On Thu, 27 Jan 2005 16:18:56 +0100, Ivan Belmonte
> <iv...@es.servidores.com> wrote:
> > Hi there all,
> >
> > I'm new to this list. I need to prevent all IP except our local office one from accessing some websites.
> > I'm doing with next syntax:
> >
> > <Directory /some/path>
> > Order Deny,Allow
> > Allow from 111.222.333.444,555.666.777.888
>
> You should have a space in place of the comma.
>
> > Deny from all
> > </Directory>
> >
> > The problem is that 111.222.333.444 and 555.666.777.888 are Proxy Cache addressess, and there are lots of users browsing internet through them.
> > I need to block the REAL ip addresses. Is there any way to "Deny client real IP"?
>
> No, not in general. In fact, there is no way for you to know the IP
> address of the originating client, unless the proxy chooses to tell
> you. Take a look at the headers being sent by the proxy and see if it
> is sending the "Via" or "X-Forwarded-For" header with the original IP
> address. If so, you can use SetEnvIf+Allow or mod_rewrite to block
> based on that header.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Joshua Slive <js...@gmail.com>.
On Thu, 27 Jan 2005 16:18:56 +0100, Ivan Belmonte
<iv...@es.servidores.com> wrote:
> Hi there all,
>
> I'm new to this list. I need to prevent all IP except our local office one from accessing some websites.
> I'm doing with next syntax:
>
> <Directory /some/path>
> Order Deny,Allow
> Allow from 111.222.333.444,555.666.777.888
You should have a space in place of the comma.
> Deny from all
> </Directory>
>
> The problem is that 111.222.333.444 and 555.666.777.888 are Proxy Cache addressess, and there are lots of users browsing internet through them.
> I need to block the REAL ip addresses. Is there any way to "Deny client real IP"?
No, not in general. In fact, there is no way for you to know the IP
address of the originating client, unless the proxy chooses to tell
you. Take a look at the headers being sent by the proxy and see if it
is sending the "Via" or "X-Forwarded-For" header with the original IP
address. If so, you can use SetEnvIf+Allow or mod_rewrite to block
based on that header.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Joshua Slive <js...@gmail.com>.
On Thu, 27 Jan 2005 10:20:59 -0500, Jeremy Hilton <je...@adtcs.com> wrote:
> On 1/27/05 10:18 AM, "Ivan Belmonte" <iv...@es.servidores.com>
> wrote:
> > Order Deny,Allow
> > Allow from 111.222.333.444,555.666.777.888
> > Deny from all
> First you have your rules reversed.
>
> You have allowed to addresses, then denied all, effectively overridding your
> previous allow rule.
>
> You first should deny then allow
No, that doesn't matter. The order of processing is determined by the
Order directive, not by the order in the config file.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Jeremy Hilton <je...@adtcs.com>.
On 1/27/05 10:20 AM, "Jeremy Hilton" <je...@adtcs.com> wrote:
> On 1/27/05 10:18 AM, "Ivan Belmonte" <iv...@es.servidores.com>
> wrote:
>
>> Hi there all,
>>
>> I'm new to this list. I need to prevent all IP except our local office one
>> from accessing some websites.
>> I'm doing with next syntax:
>>
>>
>> <Directory /some/path>
>> Order Deny,Allow
>> Allow from 111.222.333.444,555.666.777.888
>> Deny from all
>> </Directory>
>>
>> The problem is that 111.222.333.444 and 555.666.777.888 are Proxy Cache
>> addressess, and there are lots of users browsing internet through them.
>> I need to block the REAL ip addresses. Is there any way to "Deny client real
>> IP"?
>>
>> Lots of thanks in advance.
>>
>> ----
>>
>> Iván Belmonte
>> Director de sistemas
>>
>> Servidores.com
>> Tel: +34 902 999 652 Ext. 121
>> Fax: +34 932 268 472
>> ibelmonte@servidores.com - http://www.servidores.com
>> Servidores.com es un servicio de Hostbin S.L.U
>>
>>
>> ----
>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> First you have your rules reversed.
>
> You have allowed to addresses, then denied all, effectively overridding your
> previous allow rule.
>
> You first should deny then allow
>
> Order Allow, Deny
> Deny from all
> Allow from 111.222.333.444,555.666.777.888
>
> Jeremy
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Whooops! The message was read and written in haste. I stand corrected, your
rules were correct.
Jeremy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Allowing real ip address
Posted by Jeremy Hilton <je...@adtcs.com>.
On 1/27/05 10:18 AM, "Ivan Belmonte" <iv...@es.servidores.com>
wrote:
> Hi there all,
>
> I'm new to this list. I need to prevent all IP except our local office one
> from accessing some websites.
> I'm doing with next syntax:
>
>
> <Directory /some/path>
> Order Deny,Allow
> Allow from 111.222.333.444,555.666.777.888
> Deny from all
> </Directory>
>
> The problem is that 111.222.333.444 and 555.666.777.888 are Proxy Cache
> addressess, and there are lots of users browsing internet through them.
> I need to block the REAL ip addresses. Is there any way to "Deny client real
> IP"?
>
> Lots of thanks in advance.
>
> ----
>
> Iván Belmonte
> Director de sistemas
>
> Servidores.com
> Tel: +34 902 999 652 Ext. 121
> Fax: +34 932 268 472
> ibelmonte@servidores.com - http://www.servidores.com
> Servidores.com es un servicio de Hostbin S.L.U
>
>
> ----
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
First you have your rules reversed.
You have allowed to addresses, then denied all, effectively overridding your
previous allow rule.
You first should deny then allow
Order Allow, Deny
Deny from all
Allow from 111.222.333.444,555.666.777.888
Jeremy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org