Keep in mind you can also use the TX:REAL_IP collection. This will either contain the direct IP of the node connecting to your server, or the value of x-forwarded-for if that header is present and contains an IP address:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/modsecurity_crs_10_setup.conf.example#L407 On Fri, Mar 4, 2016 at 7:21 AM, Leos Rivas Manuel < manuel.leosri...@gemalto.com> wrote: > Hi David, > > > > Yes you can, you used modsec documentation example I supposed as it is it > explain the rule not the directive itself: > > SecRule REMOTE_ADDR "@ipMatchFromFile ips.txt" "id:163" > > > > This is the modified rule that will match the X-Forwarded-for header > > SecRule REQUEST_HEADERS:X-Forwarded-for "@ipMatchFromFile ips.txt" "id:163" > > > > I don’t know what use you will give it but headers just like any other > element on the request is *user modifiable* so unless you are the one > setting that up and you established a trusted connection to the other end > don’t use it for security but should be good for marketing or log purposes. > > > > Also notice that the header if you are chaining multiple proxies along the > way is supposed to include more than one value like ip1,ip2,ip3. > > > > Regards, > > Manuel > > > > *From:* Brian Davis (bridavis) [mailto:brida...@cisco.com] > *Sent:* vendredi 4 mars 2016 09:37 > *To:* Leos Rivas Manuel; owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: ipMatch and X-Forwarded-For > > > > Can I use "@ipMatchFromFile <file>" against > REQUEST_HEADER:X-Forwarded-For? I didn’t think this was possible. > > > > *From: *Leos Rivas Manuel <manuel.leosri...@gemalto.com> > *Date: *Friday, March 4, 2016 at 12:33 AM > *To: *"Brian A. Davis" <brida...@cisco.com>, " > owasp-modsecurity-core-rule-set@lists.owasp.org" < > owasp-modsecurity-core-rule-set@lists.owasp.org> > *Subject: *RE: ipMatch and X-Forwarded-For > > > > You don’t need to modify the remote_address, simply use > header:x-forwarded-for instead and deny if it matches. > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [ > mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>] *On Behalf Of > *Brian > Davis (bridavis) > *Sent:* vendredi 4 mars 2016 08:55 > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] ipMatch and X-Forwarded-For > > > > Hello, > > > > I have ModSecurity running as a reverse proxy behind an haproxy LB. > Because we’re behind HAProxy, we’re getting LB IP addresses for REMOTE_ADDR. > > > > I have a large number of IPs that I have to whitelist, and would therefore > really take advantage of the ipMatch and ipMatchFromFile functions. > However, those can only be used on REMOTE_ADDR. > > > > Does anyone have a creative way of taking the X-Forwarded-For value and > somehow setting REMOTE_ADDR to that, and then using ipMatch on the result? > > > > Thanks, > > Brian > > > ------------------------------ > > > > *This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. E-mails are susceptible > to alteration. Our company shall not be liable for the message if altered, > changed or falsified. If you are not the intended recipient of this > message, please delete it and notify the sender. Although all reasonable > efforts have been made to keep this transmission free from viruses, the > sender will not be liable for damages caused by a transmitted virus.* > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- Ted Wells Nexcess - Beyond Hosting 21700 Melrose Ave. Southfield, MI 48075 Phone: +1.866.639.2377 Fax: +1.248.281.0473http://twitter.com/nexcess
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
