You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jignesh Badani <jb...@mmsa.com> on 2006/08/24 02:04:17 UTC

[users@httpd] Is this possible ?

Hello all, let me try again. 

I have the following restriction in place:

SetEnvIf X-FORWARDED-FOR ^10.161 let_10161_in
SetEnvIf COOKIE ^XSESSION let_xuser_in

<Location />
Order Deny,Allow
Deny from all
Allow from env=let_10161_in
Allow from env=let_xuser_in
</Location>

It basically means users whose X-FORWARDED-FOR contains 10.161 gets in. 
Also it allows users who have a Cookie "XSESSION" gets in.

Now, how do I combine them such that only users with both the conditions 
set can get in or otherwise Deny access.

Meaning, a user has to come from 10.161 and also needs to have a XSESSION 
cookie set inorder to get access. 

Can I form such an expression in SetEnvIf ? If so how ?

Thank you
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Jignesh Badani



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is this possible ?

Posted by Joshua Slive <jo...@slive.ca>.

On 8/23/06, Jignesh Badani <jb...@mmsa.com> wrote:
> Awesome, just trying to understand the syntax of the last SetEnvIf:
>
> SetEnvIf let_10161_in ^0$ !let_xuser_in
>
> --> If the env variable let_10161_in is "0" - meaning the request is not
> from 10.161, unset (make it 0?) the let_xuser_in env variable ?

Basically, yes.  Although "unset" and "set to 0" are not the same thing.

>
> And mod_rewrite for this, how ?

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^10\.161 [or]
RewriteCond %{HTTP:Cookie} !XSESSION
RewriteRule .* - [F]

By the way, you should be aware that both X-Forwarded-For and Cookie
can be faked by the browser, so they don't provide real security.  In
particular, if the request already has an X-Forwarded-For header when
it passes through the proxy, the new IP address will be folded into
it.  You can detect this situation by testing X-Forwarded-For for a
comma, which is the separator used for multiple IP addresses.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is this possible ?

Posted by Jignesh Badani <jb...@mmsa.com>.

Awesome, just trying to understand the syntax of the last SetEnvIf:

SetEnvIf let_10161_in ^0$ !let_xuser_in

--> If the env variable let_10161_in is "0" - meaning the request is not 
from 10.161, unset (make it 0?) the let_xuser_in env variable ? 

And mod_rewrite for this, how ?

Thanks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - 
Jignesh Badani





"Joshua Slive" <jo...@slive.ca> 
Sent by: jslive@gmail.com
08/23/2006 05:10 PM
Please respond to
users@httpd.apache.org


To
users@httpd.apache.org
cc

Subject
Re: [users@httpd] Is this possible ?






On 8/23/06, Jignesh Badani <jb...@mmsa.com> wrote:
> Hello all, let me try again.
>
> I have the following restriction in place:
>
> SetEnvIf X-FORWARDED-FOR ^10.161 let_10161_in
> SetEnvIf COOKIE ^XSESSION let_xuser_in
>
> <Location />
> Order Deny,Allow
> Deny from all
> Allow from env=let_10161_in
> Allow from env=let_xuser_in
> </Location>
>
> It basically means users whose X-FORWARDED-FOR contains 10.161 gets in.
> Also it allows users who have a Cookie "XSESSION" gets in.
>
> Now, how do I combine them such that only users with both the conditions
> set can get in or otherwise Deny access.
>
> Meaning, a user has to come from 10.161 and also needs to have a 
XSESSION
> cookie set inorder to get access.
>
> Can I form such an expression in SetEnvIf ? If so how ?

# This next line always matches
SetEnvIf Remote_Addr . let_10161=0
SetEnvIf X-FORWARDED-FOR ^10.161 let_10161_in=1
SetEnvIf COOKIE ^XSESSION let_xuser_in
SetEnvIf let_10161_in ^0$ !let_xuser_in

Allow from env=let_xuser_in

You can write it in a less obtuse way if you use mod_rewrite.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is this possible ?

Posted by Joshua Slive <jo...@slive.ca>.

On 8/23/06, Jignesh Badani <jb...@mmsa.com> wrote:
> Hello all, let me try again.
>
> I have the following restriction in place:
>
> SetEnvIf X-FORWARDED-FOR ^10.161 let_10161_in
> SetEnvIf COOKIE ^XSESSION let_xuser_in
>
> <Location />
> Order Deny,Allow
> Deny from all
> Allow from env=let_10161_in
> Allow from env=let_xuser_in
> </Location>
>
> It basically means users whose X-FORWARDED-FOR contains 10.161 gets in.
> Also it allows users who have a Cookie "XSESSION" gets in.
>
> Now, how do I combine them such that only users with both the conditions
> set can get in or otherwise Deny access.
>
> Meaning, a user has to come from 10.161 and also needs to have a XSESSION
> cookie set inorder to get access.
>
> Can I form such an expression in SetEnvIf ? If so how ?

# This next line always matches
SetEnvIf Remote_Addr . let_10161=0
SetEnvIf X-FORWARDED-FOR ^10.161 let_10161_in=1
SetEnvIf COOKIE ^XSESSION let_xuser_in
SetEnvIf let_10161_in ^0$ !let_xuser_in

Allow from env=let_xuser_in

You can write it in a less obtuse way if you use mod_rewrite.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org