As you all know, we use the ‘X-Forwarded-For’ header to determine the IP of client when the HTTPD is behind the ELB (or other Proxy/LB).

However it is very difficult to set the IP-ACL in Apache configuration files common to the cases with and without LB. (due to the Apache environment variables)

So I have been operating under this settings for some services.

<IfModule mod_setenvif.c>
	SetEnvIf Server_Addr "(.+)"								z_local_addr=$1
	SetEnvIf Remote_Addr "^([0-9\.]+)"						z_remote_addr=$1
	SetEnvIf X-Forwarded-For "^([0-9\.]+)"					z_remote_addr=$1
	SetEnvIfNoCase Request_Protocol "^([a-z]+)"				z_service_proto=$1
	SetEnvIfNoCase X-Forwarded-Proto "^([a-z]+)"				z_service_proto=$1
	SetEnvIf z_remote_addr "^127\.0\.0\.1$"					z_remote_trusted
	SetEnvIf z_remote_addr "^10\.1\.3\."						z_remote_trusted
	SetEnvIf z_remote_addr "^192\.168\.1\."					z_remote_trusted
	SetEnvIf z_remote_addr "^123\.123\.123\.254$"			z_remote_trusted
</IfModule>

<Location />
	<RequireAny>
		Require env z_remote_trusted
		Require expr "env('z_remote_addr') -ipmatch '22.33.44.0/24'"
		Require expr "env('z_remote_addr') in { '11.22.33.44', '11.22.33.55' }"
	</RequireAny>
</Location>

If you see “syntax error, unexpected $end”, just remove queotes of expressions. This is a bug of apache httpd.

<Location />
	<RequireAny>
		Require env z_remote_trusted
		Require expr env('z_remote_addr') -ipmatch '22.33.44.0/24'
		Require expr env('z_remote_addr') in { '11.22.33.44', '11.22.33.55' }
	</RequireAny>
</Location>