As you all know, we use the ‘X-Forwarded-For’ header to determine the IP of client when the HTTPD is behind the ELB (or other Proxy/LB).
However it is very difficult to set the IP-ACL in Apache configuration files common to the cases with and without LB. (due to the Apache environment variables)
So I have been operating under this settings for some services.
<IfModule mod_setenvif.c> SetEnvIf Server_Addr "(.+)" z_local_addr=$1 SetEnvIf Remote_Addr "^([0-9\.]+)" z_remote_addr=$1 SetEnvIf X-Forwarded-For "^([0-9\.]+)" z_remote_addr=$1 SetEnvIfNoCase Request_Protocol "^([a-z]+)" z_service_proto=$1 SetEnvIfNoCase X-Forwarded-Proto "^([a-z]+)" z_service_proto=$1 SetEnvIf z_remote_addr "^127\.0\.0\.1$" z_remote_trusted SetEnvIf z_remote_addr "^10\.1\.3\." z_remote_trusted SetEnvIf z_remote_addr "^192\.168\.1\." z_remote_trusted SetEnvIf z_remote_addr "^123\.123\.123\.254$" z_remote_trusted </IfModule> <Location /> <RequireAny> Require env z_remote_trusted Require expr "env('z_remote_addr') -ipmatch '22.33.44.0/24'" Require expr "env('z_remote_addr') in { '11.22.33.44', '11.22.33.55' }" </RequireAny> </Location>
If you see “syntax error, unexpected $end”, just remove queotes of expressions. This is a bug of apache httpd.
<Location /> <RequireAny> Require env z_remote_trusted Require expr env('z_remote_addr') -ipmatch '22.33.44.0/24' Require expr env('z_remote_addr') in { '11.22.33.44', '11.22.33.55' } </RequireAny> </Location>