英文:
Apache 2.4 RewriteCond with expr / ipmatch on variable other than %{REMOTE_ADDR}
问题
I can provide a translation of the text you've provided. Here it is:
我有一个位于CDN后面的网络服务器。客户端IP被作为HTTP标头传递。
我可以使用以下方式来阻止客户端IP地址:
RewriteCond %{HTTP:CloudFront-Viewer-Address} ^123\.45\.67\.89(.*)$
RewriteRule ^(.*)$ - [F,L]
我相信 (.*)$ 是必需的,以匹配可能包含在 %{HTTP:CloudFront-Viewer-Address} 中的端口。在访问日志中,我看到端口(例如 127.0.0.1:1234)出现在 %{HTTP:CloudFront-Viewer-Address} 之后,但在重写日志中没有。在重写日志中,端口附加到 %{HTTP:CloudFront-Viewer-Address} 之前的CloudFront和负载均衡器地址,但不是 %{HTTP:CloudFront-Viewer-Address} 本身。
一个CGI程序打印出类似以下内容:
HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 0000:0000:0000:0000:0000:0000:0000:0001:52325
HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 127.0.0.1:45629
当我访问时。
我想使用类似这样的方式:
RewriteCond expr "%{REMOTE_ADDR} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
来阻止一系列的IP地址,如此处所示:https://perishablepress.com/apache-redirect-range-ip-addresses/
但它不起作用。
我尝试过:
RewriteCond expr "%{HTTP:CloudFront-Viewer-Address} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
我不确定是因为 %{REMOTE_ADDR} 是唯一的ipmatch可以工作的变量,还是因为我的变量中可能包含的端口,或者其他原因。
假设是端口的问题,并且ipmatch可以作用于 %{HTTP:CloudFront-Viewer-Address},那么是否去掉 %{HTTP:CloudFront-Viewer-Address} 中的端口能让它起作用呢?
我尝试使用这里的建议:https://www.reddit.com/r/apache/comments/11bxlxi/cidr_matching_rewrite_with_expr_ipmatch_remove/ 但无法使其工作。
感谢任何建议!
1: https://perishablepress.com/apache-redirect-range-ip-addresses/
2: https://www.reddit.com/r/apache/comments/11bxlxi/cidr_matching_rewrite_with_expr_ipmatch_remove/
英文:
I have a web server behind a CDN. The client IP is passed as an HTTP header.
I can use the following to block a client IP address:
RewriteCond %{HTTP:CloudFront-Viewer-Address} ^123\.45\.67\.89(.*)$
RewriteRule ^(.*)$ - [F,L]
I believe the (.*)$ is required to match the port that may be included in %{HTTP:CloudFront-Viewer-Address}. I see the port (e.g. 127.0.0.1:1234) after %{HTTP:CloudFront-Viewer-Address} in access logs but not in rewrite logs. In rewrite logs, the port is appended to the CloudFront and load balancer addresses that precede the %{HTTP:CloudFront-Viewer-Address} but not the %{HTTP:CloudFront-Viewer-Address} itself.
A CGI program prints something like:
HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 0000:0000:0000:0000:0000:0000:0000:0001:52325
HTTP_CLOUDFRONT_VIEWER_ADDRESS --> 127.0.0.1:45629
when I visit.
I'd like to use something like this:
RewriteCond expr "%{REMOTE_ADDR} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
to block a range of IPs, as seen here: https://perishablepress.com/apache-redirect-range-ip-addresses/
but it doesn't work.
I tried:
RewriteCond expr "%{HTTP:CloudFront-Viewer-Address} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
I'm not sure if it's because %{REMOTE_ADDR} is the only variable ipmatch can work on; or the port that may be included in my variable; or some other reason.
Assuming it's the port, and ipmatch can act on %{HTTP:CloudFront-Viewer-Address}, might removing the port from %{HTTP:CloudFront-Viewer-Address} allow this to work?
I tried to do it using suggestions here: https://www.reddit.com/r/apache/comments/11bxlxi/cidr_matching_rewrite_with_expr_ipmatch_remove/ but couldn't get it working.
Thanks for any suggestions!
答案1
得分: 2
将我建议的模式是在前面使用SetEnvIf进行操作,并将结果存储在环境变量中。
SetEnvIf CloudFront-Viewer-Address (.*):\d+$ cf-v-a=$1
RewriteCond expr "%{reqenv:cf-v-a} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
英文:
The pattern I suggest here is to manipulate it up front with SetEnvIf and leave the result in an environment variable.
SetEnvIf CloudFront-Viewer-Address (.*):\d+$ cf-v-a=$1
RewriteCond expr "%{reqenv:cf-v-a} -ipmatch '123.45.67.0/24'"
RewriteRule ^(.*)$ - [F,L]
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论