Hi David, Yes you can, you used modsec documentation example I supposed as it is it explain the rule not the directive itself: SecRule REMOTE_ADDR "@ipMatchFromFile ips.txt" "id:163"
This is the modified rule that will match the X-Forwarded-for header SecRule REQUEST_HEADERS:X-Forwarded-for "@ipMatchFromFile ips.txt" "id:163" I don't know what use you will give it but headers just like any other element on the request is user modifiable so unless you are the one setting that up and you established a trusted connection to the other end don't use it for security but should be good for marketing or log purposes. Also notice that the header if you are chaining multiple proxies along the way is supposed to include more than one value like ip1,ip2,ip3. Regards, Manuel From: Brian Davis (bridavis) [mailto:brida...@cisco.com] Sent: vendredi 4 mars 2016 09:37 To: Leos Rivas Manuel; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: ipMatch and X-Forwarded-For Can I use "@ipMatchFromFile <file>" against REQUEST_HEADER:X-Forwarded-For? I didn't think this was possible. From: Leos Rivas Manuel <manuel.leosri...@gemalto.com<mailto:manuel.leosri...@gemalto.com>> Date: Friday, March 4, 2016 at 12:33 AM To: "Brian A. Davis" <brida...@cisco.com<mailto:brida...@cisco.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RE: ipMatch and X-Forwarded-For You don't need to modify the remote_address, simply use header:x-forwarded-for instead and deny if it matches. From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Brian Davis (bridavis) Sent: vendredi 4 mars 2016 08:55 To: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] ipMatch and X-Forwarded-For Hello, I have ModSecurity running as a reverse proxy behind an haproxy LB. Because we're behind HAProxy, we're getting LB IP addresses for REMOTE_ADDR. I have a large number of IPs that I have to whitelist, and would therefore really take advantage of the ipMatch and ipMatchFromFile functions. However, those can only be used on REMOTE_ADDR. Does anyone have a creative way of taking the X-Forwarded-For value and somehow setting REMOTE_ADDR to that, and then using ipMatch on the result? Thanks, Brian ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
