[Solved] Can we use an or operator with $HTTP["remoteip"]??
Added by jonathanlee 15 days ago
Hello fellow lighttpd community members can you please help?
I am a full computer science major and worked in IT for 15 combined years, and hold a cyber secuirty degree. I have some questions about correct syntax here.
What I am doing is running a proxy. Lighttpd hosts my proxy.pac wpad.dat and wpad.dat files for autoproxy wpad. This server is so I do not have to manually configure my laptop proxy settings every day while on the road and going on and off the proxy at this location. Lighttpd fixed this issue, it has been working great for a while now.
I set the wapd lighttpd server so that it is only accessible from clients on the 192.168.1.1/27 network (see code below)
This server now works by way of ipv4 only with the adapted conf file. I recently enabled a hurricane electric ipv6 tunnel broker service and recived my sage certification. I now have a dual stacked network. I have full ipv6 functionality. I am still working on source ipv6 addresses to get access to the wpad.
In my conf file I have added this section seen here below. Keep in mind this is from before attempted ipv6 changes. So it does work like this. Is the syntax wrong?
$HTTP["remoteip"] != "192.168.1.0/27"{
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/wpad.dat" {
$HTTP["remoteip"] == "192.168.1.0/27"{
}
else {
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/proxy.pac" {
$HTTP["remoteip"] == "192.168.1.0/27"{
}
else {
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/wpad.da" {
$HTTP["remoteip"] == "192.168.1.0/27"{
}
else {
url.access-deny = ( "" )
}
}
What this does is make it so that my local network can only access the wpad files, and it does work when I tested it from a different address. Thus if your not within my configured ipv4 cider block or subnet there is no access to the lighttpd autoconfig files. That is my goal moving forward with the new changes I have made also.
Moving forward I changed this section of code thinking that I could use an or operator to do so. Seen here..
$HTTP["remoteip"] == ["192.168.1.0/27"|"5001:000:0000:a::/64"] [Ed: invalid fabricated syntax]
I had this working orginally with use of the above yesterday. However the lighttpd server shut down shortly after.
I am able to keep it running with the use of compartmentalized sections like this.
$HTTP["remoteip"] == "5001:000:0000:a::/64"
or the use of
$HTTP["remoteip"] == "192.168.1.0/27"
I was sent a url link that shows the correct syntax for the conf file
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_Configuration
This is the area I am researching.
$HTTP["remoteip"] match on the remote IP address or a remote network == or != CIDR mask (works with IPv6 since 1.4.40)
However it does not state anything with relation to the use of an or operator and or dual stack network within the field name section of this configuration document. I do know Java uses || for an or operator. I noticed it shows *|* and also I see something that looks like an imp operator.
My goal here is that my locally dhcp6 managed assigned ipv6 addresses on the LAN side can also get access to the lighttpd wpad server. I am having trouble finding the solution to this. I thought I had it last night but as soon as I went to access it by way of ipv6 source address only within a firefox browser it shut off on me and I had to go back to ipv4 only and adapt firefox setings and normalize it again.
Can anyone please help? I can ping the ipv6 address of the server that hosts lighttpd, thus the server has both ipv6 and ipv4. I originally noticed that there was a bug introduced within a previous version of lighttpd +bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP["remoteip"]. + I am having issues getting lighttpd $HTTP["remoteip"] directive to work with my dual stacked network by way of both ipv6 and ipv4. I just want it accessible from the hosts inside my address pools with a ipv6 source address so that they can see the proxy.pac file.
This is my proxy.pac file also in case anyone needs this.
function FindProxyForURL(url, host)
{
url = url.toLowerCase();
host = host.toLowerCase();
if (isPlainHostName(host))
{
return 'DIRECT';
}
if (isResolvable(host))
{
var hostIP = dnsResolve(host);
if (isInNet(hostIP, '0.0.0.0', '255.0.0.0') || isInNet(hostIP, '10.0.0.0', '255.0.0.0') ||
isInNet(hostIP, '127.0.0.0', '255.0.0.0') || isInNet(hostIP, '169.254.0.0', '255.255.0.0') ||
isInNet(hostIP, '172.16.0.0', '255.240.0.0') || isInNet(hostIP, '192.168.0.0', '255.255.0.0') ||
isInNet(hostIP, '198.18.0.0', '255.254.0.0') || isInNet(hostIP, '224.0.0.0', '240.0.0.0') ||
isInNet(hostIP, '240.0.0.0', '240.0.0.0'))
{
return 'DIRECT';
}
if (false)
{
return 'DIRECT';
}
}
if (url.substring(0, 5) == 'http:' || url.substring(0, 6) == 'https:' ||
url.substring(0, 4) == 'ftp:' || url.substring(0, 7) == "gopher:")
{
return 'PROXY 192.168.1.1:3128;PROXY IPV6ADDRESSHERE';
}
return 'DIRECT';
Replies (6)
RE: Can we use an or operator with $HTTP["remoteip"]?? - Added by jonathanlee 15 days ago
Keep in mind I will still need to update my proxy.pac to add in more isInNet also. I do know that it is a work in progress.
RE: Can we use an or operator with $HTTP["remoteip"]?? - Added by gstrauss 15 days ago
Is the syntax wrong?
Yes. You have cut-n-paste the following in many of your recent posts (and I have corrected it in some of them)
$HTTP["remoteip"] != "192.168.1.0/27"{
url.access-deny = ( "" )
}
}
There is an extra } and you have been so sloppy in your testing that you think you had things "working" when that would be impossible using the syntax you posted. (Therefore, you could not have been testing what you think you have been testing.)
RE: Can we use an or operator with $HTTP["remoteip"]?? - Added by gstrauss 15 days ago
$HTTP["remoteip"] == ["192.168.1.0/27"|"5001:000:0000:a::/64"] [Ed: invalid fabricated syntax]
I had this working orginally with use of the above yesterday.
No, you did not. You never did. That is invalid syntax and that syntax never worked. Your testing was sloppy.
However it does not state anything with relation to the use of an or operator and or dual stack network within the field name section of this configuration document. I do know Java uses || for an or operator. I noticed it shows *|* and also I see something that looks like an imp operator.
Docs_Configuration Overview section states:
lighttpd configuration syntax is basic and many configurations can be expressed simply in the configuration syntax.
However, the configuration syntax is not a full programming language, nor does it pretend to be. For any complex logic, it is recommended to create a script which produces lighttpd configuration syntax as output.
Please read that at least three times aloud. If Docs_Configuration does not document an or operator, then guess what? => it does not exist in lighttpd.conf syntax because the configuration syntax is not a full programming language and explicitly states that it is not a full programming language.
You can implement arbitrary logic to match the remote IP address using lighttpd mod_magnet and lua, though if you are unable to use simple logic operators, you might want to ask your professor for some extra help with basic logic.
if $HTTP["remoteip"] == "192.168.1.0/27" {
}
else if $HTTP["remoteip"] == "5001:000:0000:a::/64" {
}
else {
url.access-deny = ( "" )
}
RE: Can we use an or operator with $HTTP["remoteip"]?? - Added by gstrauss 15 days ago
Can we use an or operator with $HTTP["remoteip"]??
No. You can use the syntax documented on Docs_Configuration.
RE: [Solved] Can we use an or operator with $HTTP["remoteip"]?? - Added by jonathanlee 15 days ago
Thanks for the reply I did not know it could use simple logic within the config file. Thank you that is perfect.
RE: [Solved] Can we use an or operator with $HTTP["remoteip"]?? - Added by jonathanlee 15 days ago
I can't believe I did not see that before. What confused me a bit was that it was working with just with the $HTTP lines without any if statement. So brain fog with that one, whats funny is the rest of it has clear if else logic in the config file.
Sorry just lack of brain power at the end of the day. Thank you again.
This one worked.
if $HTTP["remoteip"] == "192.168.1.0/27"{
}
else if $HTTP["remoteip"] == "2001:470:8052:a::/64"{
}
else {
url.access-deny = ( "" )
}
$HTTP["url"] =~ "^/wpad.dat" {
if $HTTP["remoteip"] == "192.168.1.0/27"{
}
else if $HTTP["remoteip"] == "2001:470:8052:a::/64"{
}
else{
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/proxy.pac" {
if $HTTP["remoteip"] == "192.168.1.0/27"{
}
else if $HTTP["remoteip"] == "2001:470:8052:a::/64"{
}
else{
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/wpad.da" {
if $HTTP["remoteip"] == "192.168.1.0/27"{
}
else if $HTTP["remoteip"] == "2001:470:8052:a::/64"{
}
else{
url.access-deny = ( "" )
}
}