Apache 2.4 RewriteCond中的expr / ipmatch用于除了%{REMOTE_ADDR}之外的变量。

huangapple go评论72阅读模式
英文:

Apache 2.4 RewriteCond with expr / ipmatch on variable other than %{REMOTE_ADDR}

问题

I can provide a translation of the text you've provided. Here it is:

我有一个位于CDN后面的网络服务器。客户端IP被作为HTTP标头传递。

我可以使用以下方式来阻止客户端IP地址:

RewriteCond %{HTTP:CloudFront-Viewer-Address} ^123\.45\.67\.89(.*)$
RewriteRule ^(.*)$ - [F,L]

我相信 (.*)$ 是必需的,以匹配可能包含在 %{HTTP:CloudFront-Viewer-Address} 中的端口。在访问日志中,我看到端口(例如 127.0.0.1:1234)出现在 %{HTTP:CloudFront-Viewer-Address} 之后,但在重写日志中没有。在重写日志中,端口附加到 %{HTTP:CloudFront-Viewer-Address} 之前的CloudFront和负载均衡器地址,但不是 %{HTTP:CloudFront-Viewer-Address} 本身。

一个CGI程序打印出类似以下内容:

HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 0000:0000:0000:0000:0000:0000:0000:0001:52325
HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 127.0.0.1:45629

当我访问时。

我想使用类似这样的方式:

RewriteCond expr "%{REMOTE_ADDR} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]

来阻止一系列的IP地址,如此处所示:https://perishablepress.com/apache-redirect-range-ip-addresses/

但它不起作用。

我尝试过:

RewriteCond expr "%{HTTP:CloudFront-Viewer-Address} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]

我不确定是因为 %{REMOTE_ADDR} 是唯一的ipmatch可以工作的变量,还是因为我的变量中可能包含的端口,或者其他原因。

假设是端口的问题,并且ipmatch可以作用于 %{HTTP:CloudFront-Viewer-Address},那么是否去掉 %{HTTP:CloudFront-Viewer-Address} 中的端口能让它起作用呢?

我尝试使用这里的建议:https://www.reddit.com/r/apache/comments/11bxlxi/cidr_matching_rewrite_with_expr_ipmatch_remove/ 但无法使其工作。

感谢任何建议!
1: https://perishablepress.com/apache-redirect-range-ip-addresses/
2: https://www.reddit.com/r/apache/comments/11bxlxi/cidr_matching_rewrite_with_expr_ipmatch_remove/

英文:

I have a web server behind a CDN. The client IP is passed as an HTTP header.

I can use the following to block a client IP address:

RewriteCond %{HTTP:CloudFront-Viewer-Address} ^123\.45\.67\.89(.*)$
RewriteRule ^(.*)$ - [F,L]

I believe the (.*)$ is required to match the port that may be included in %{HTTP:CloudFront-Viewer-Address}. I see the port (e.g. 127.0.0.1:1234) after %{HTTP:CloudFront-Viewer-Address} in access logs but not in rewrite logs. In rewrite logs, the port is appended to the CloudFront and load balancer addresses that precede the %{HTTP:CloudFront-Viewer-Address} but not the %{HTTP:CloudFront-Viewer-Address} itself.

A CGI program prints something like:

HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 0000:0000:0000:0000:0000:0000:0000:0001:52325
HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 127.0.0.1:45629

when I visit.

I'd like to use something like this:

RewriteCond expr "%{REMOTE_ADDR} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]

to block a range of IPs, as seen here: https://perishablepress.com/apache-redirect-range-ip-addresses/

but it doesn't work.

I tried:

RewriteCond expr "%{HTTP:CloudFront-Viewer-Address} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]

I'm not sure if it's because %{REMOTE_ADDR} is the only variable ipmatch can work on; or the port that may be included in my variable; or some other reason.

Assuming it's the port, and ipmatch can act on %{HTTP:CloudFront-Viewer-Address}, might removing the port from %{HTTP:CloudFront-Viewer-Address} allow this to work?

I tried to do it using suggestions here: https://www.reddit.com/r/apache/comments/11bxlxi/cidr_matching_rewrite_with_expr_ipmatch_remove/ but couldn't get it working.

Thanks for any suggestions!

答案1

得分: 2

将我建议的模式是在前面使用SetEnvIf进行操作,并将结果存储在环境变量中。

SetEnvIf CloudFront-Viewer-Address (.*):\d+$ cf-v-a=$1
RewriteCond expr "%{reqenv:cf-v-a} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
英文:

The pattern I suggest here is to manipulate it up front with SetEnvIf and leave the result in an environment variable.

SetEnvIf CloudFront-Viewer-Address (.*):\d+$ cf-v-a=$1
RewriteCond expr "%{reqenv:cf-v-a} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]

huangapple
  • 本文由 发表于 2023年5月7日 01:02:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/76190114.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定