You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mark jensen <ng...@hotmail.com> on 2014/08/07 23:19:10 UTC
[users@httpd] Use Allow from IP when there is a proxy exist?
we know that we can allow some IPS with out authentication using Allow from IP:
<Directory /var/www/html/template>
Order allow,deny
Allow from 192.168.1.5
Satisfy any
AuthName "LDAP Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPauthoritative off
AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
</Directory>
But what if we use proxy (squid) in front, then the source IP will be the proxy IP, How can I make Apache to deal with the client IP not the proxy IP?
Re: [users@httpd] Use Allow from IP when there is a proxy exist?
Posted by Igor Cicimov <ic...@gmail.com>.
On 08/08/2014 11:21 PM, "Tom Evans" <te...@googlemail.com> wrote:
>
> On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <ic...@gmail.com> wrote:
> >
> >> Your .htaccess file:
> >> # ALLOW USER BY IP
> >> order deny,allow
> >> deny from all
> >> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
> >> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP
> >> Allow from env=AllowIP
> >> allow from 1.2.3.4
> >> allow from 5.6.7.8source:
> >>
http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish
> >>
> > Looks sane to me although don't see the need for the last 2 allow since
they
> > are already included by the previous "Allow from env=AllowIP". You can
also
> > use regexp like:
> >
> > SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]"
AllowIP
> >
>
> Looks insane to me. If squid is setting X-Forwarded-For and you trust
> squid, use mod_remoteip or mod_rpaf2 so that apache knows the real
> client address and will use it in authentication and logging.
>
> Using string matching, or even worse, regexp matching on
> X-Forwarded-For is a mistake as it is error prone - you must specify
> your authentication as a string or regexp, not as it's native type -
> and worse it is potentially malicious as squid does not scrub
> X-Forwarded-For, it appends to it, making your simple string match
> easily exploitable.
>
Not if you use "forward-for truncate"
> mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow
> you to specify which hosts you trust to add X-Forwarded-For, and they
> interpret the X-Forwarded-For correctly as an IP address, allowing you
> to specify your configuration in it's natural form.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] Use Allow from IP when there is a proxy exist?
Posted by Tom Evans <te...@googlemail.com>.
On Fri, Aug 8, 2014 at 9:23 AM, Igor Cicimov <ic...@gmail.com> wrote:
>
>> Your .htaccess file:
>> # ALLOW USER BY IP
>> order deny,allow
>> deny from all
>> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
>> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP
>> Allow from env=AllowIP
>> allow from 1.2.3.4
>> allow from 5.6.7.8source:
>> http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish
>>
> Looks sane to me although don't see the need for the last 2 allow since they
> are already included by the previous "Allow from env=AllowIP". You can also
> use regexp like:
>
> SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP
>
Looks insane to me. If squid is setting X-Forwarded-For and you trust
squid, use mod_remoteip or mod_rpaf2 so that apache knows the real
client address and will use it in authentication and logging.
Using string matching, or even worse, regexp matching on
X-Forwarded-For is a mistake as it is error prone - you must specify
your authentication as a string or regexp, not as it's native type -
and worse it is potentially malicious as squid does not scrub
X-Forwarded-For, it appends to it, making your simple string match
easily exploitable.
mod_remoteip and mod_rpaf both know about X-Forwarded-For, they allow
you to specify which hosts you trust to add X-Forwarded-For, and they
interpret the X-Forwarded-For correctly as an IP address, allowing you
to specify your configuration in it's natural form.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Use Allow from IP when there is a proxy exist?
Posted by Igor Cicimov <ic...@gmail.com>.
> Your .htaccess file:
> # ALLOW USER BY IP
> order deny,allow
> deny from all
> SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
> SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP
> Allow from env=AllowIP
> allow from 1.2.3.4
> allow from 5.6.7.8source:
http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish
>
Looks sane to me although don't see the need for the last 2 allow since
they are already included by the previous "Allow from env=AllowIP". You can
also use regexp like:
SetEnvIF X-Forwarded-For "1.2.3.4|5.6.7.8|7.8.9.[2-5]|3.4.5.[69]" AllowIP
just as example.
RE: [users@httpd] Use Allow from IP when there is a proxy exist?
Posted by Mark jensen <ng...@hotmail.com>.
I have found something like that, iS it true to use it:
Your .htaccess file:
# ALLOW USER BY IP
order deny,allow
deny from all
SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
SetEnvIF X-Forwarded-For "5.6.7.8" AllowIP
Allow from env=AllowIP
allow from 1.2.3.4
allow from 5.6.7.8source: http://frustratedtech.com/post/42641261089/htaccess-file-to-block-ips-coming-from-varnish
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Use Allow from IP when there is a proxy exist?
Posted by Igor Cicimov <ic...@gmail.com>.
> But what if we use proxy (squid) in front, then the source IP will be the
proxy IP, How can I make Apache to deal with the client IP not the proxy IP?
>
You mean tell squid to send the source ip to apache? Check squid
documentation how to do that or set proxy-for header. What can apache do
about something it doesnt know about?
Re: [users@httpd] Use Allow from IP when there is a proxy exist?
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Thu, Aug 07, 2014 at 09:19:10PM +0000, Mark jensen wrote:
> How can I make Apache to deal with the client IP not the proxy IP?
Use mod_remoteip.
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107