[users@httpd] X-Forwarded-For and If directive

Wed, 04 Sep 2019 11:41:54 -0700 

I am certain I'm missing something important about the <If> directive and the 
-ipmatch operator when used in conjunction with %{HTTP:X-Forwarded-For}.
Please permit me to illustrate the problem by way of example:
<If "%{HTTP:X-Forwarded-For} -ipmatch '10.0.0.0/8'">
    LogMessage "Got IP match [%{HTTP:X-Forwarded-For}]"
</If>
<Else>
   LogMessage "No IP match [%{HTTP:X-Forwarded-For}]"
</Else>
produces the following log output:
[Wed Sep 04 17:57:03.611095 2019] [log_debug:info] [pid 11134] [client 
10.128.10.9:53515] No IP match [10.128.10.9]
Clearly X-Forwarded-For has the value '10.128.10.9', which is certainly within 
the 10.0.0.0/8 CIDR.
So I say to myself "Well, maybe -ipmatch doesn't really like a CIDR, despite 
what the documentation appears to say".
<If "%{HTTP:X-Forwarded-For} -ipmatch '10.128.10.9'">
    LogMessage "Got explicit IP match [%{HTTP:X-Forwarded-For}]"
</If>
<Else>
   LogMessage "No explicit IP match [%{HTTP:X-Forwarded-For}]"
</Else>
This produces the log message:
[Wed Sep 04 17:57:03.611108 2019] [log_debug:info] [pid 11134] [client 
10.128.10.9:53515] No explicit IP match [10.128.10.9]
So with X-Forwarded-For clearly containing the value 10.128.10.9, I cannot 
match 10.0.0.0/8 or 10.128.10.9 with -ipmatch.
Maybe -ipmatch doesn't work?
<If "'10.128.10.9' -ipmatch '10.0.0.0/8'">
   LogMessage "Got dummy IP match"
</If>
<Else>
  LogMessage "Failed dummy IP match"
</Else>
produces the following log message:
[Wed Sep 04 17:57:03.611112 2019] [log_debug:info] [pid 11134] [client 
10.128.10.9:53515] Got dummy IP match

So it appears there's something pathological about %{HTTP:X-Forwarded-For}, but 
I can't help but observe that it prints as I expect it to in the LogMessage 
output.
Here's another example:
<If "%{HTTP:X-Forwarded-For} == '10.128.10.9' ">
  LogMessage "Got string IP match [%{HTTP:X-Forwarded-For}]"
</If>
<Else>
  LogMessage "Got no string IP match %{HTTP:X-Forwarded-For}"
</Else>
yields
[Wed Sep 04 17:57:03.611117 2019] [log_debug:info] [pid 11134] [client 
10.128.10.9:53515] Got no string IP match 10.128.10.9
I'm convinced there's something subtle I'm overlooking, and would be very 
grateful for any suggestions.
Would some kind soul come to my rescue?
Thanks!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to