13

How can use X-Forwarded-For headers(my proxy ip 10.1.1.x) to allow HTTP query?

bindbn
  • 5,153
  • 2
  • 26
  • 23

3 Answers3

24

You can use SetEnvIf and Allow:

    <Location "/only_proxy/">
            SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
            Order allow,deny
            Satisfy Any
            Allow from env=proxy_env
    </Location>
ooshro
  • 10,874
  • 1
  • 31
  • 31
  • 1
    Remember that it's really easy to forge X-Forwarded-For header. – Olli Feb 15 '11 at 12:52
  • It's also reasonably easy to protect yourself from forged X-Forwarded-For headers (by stripping this header at entry points into your environment). – larsks Oct 02 '12 at 01:52
  • 1
    found this post while looking for information on how to protect against forged x-forwarded headers, would you mind pointing to a relevant doc? – Pete Nov 01 '12 at 17:12
4

You can write a rewrite rule to redirect to 403 response.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !(1.1.1.1|2.2.2.2)
RewriteRule .* - [F]
Jenny D
  • 27,358
  • 21
  • 74
  • 110
Vicky Sridhar
  • 41
  • 2
2

You can use mod_rpaf to make Apache treat the X-Forwarded-For IP as the client IP.

ThatGraemeGuy
  • 15,314
  • 12
  • 51
  • 78
  • 8
    For those who find their way here from Google: note that `mod_rpaf` is only able to make your logs useful; it does not actually affect the address used in access control decisions. Also note that in Apache 2.4, the `mod_rpaf` functionality is provided natively by [mod_remoteip](http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html). – larsks Oct 02 '12 at 01:50
  • 1
    @larsks: That is not true. I tried and it did work for me! – confiq Aug 25 '14 at 12:48