On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote: > I want to create an ACL based on X-Forwarded-For: > > acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt > block unless whitelist > > Which is just grand, EXCEPT I'm only interested in (and trust) the last > address in the X-Forwarded-For header. The above acl matches any address in > the header. I've been digging for a good chunk of the day how to do that and > come up empty handed. Help?
Since we have not yet reworked the ACLs to rely on the pattern subsystem, it's still not possible to make use of "hdr_ip(X-f-f,-1)" as we do on the "balance" or "source" keywords. One thing you could do, despite not being very good, is to remove all occurrences of values in the header. Basically, remove everything from the first char to the last comma : reqirep ^(X-Forwarded-For:\ ).*,([^,]*) \1\2 Then your ACL could match based on what is left in this header. Regards, Willy
