Project

General

Profile

Actions

Bug #385

closed

Enabling ipv6 makes matching subnets with $HTTP["remoteip"] inoperable.

Added by Anonymous about 19 years ago. Updated almost 9 years ago.

Status:
Invalid
Priority:
Normal
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:

Description

When ipv6 is enabled, clients connecting via an ipv4 address are recorded in the accesslog with a ::ffff: in front of the ipv4 address. Here is an example line from my accesslog:
::ffff:147.210.96.15 - - -0800 "GET /linux/core/4/i386/os/repodata/repomd.xml HTTP/1.1" 200 1140 "-" "urlgrabber/2.9.6"

This seems to prevent matching of remote ip's via subnet. If I do:
$HTTPremoteip "127.0.0.1/8"
I never get a match, even from addresses from within that range.

Similarly, $HTTPremoteip "::ffff:127.0.0.1/8" also doesnt work.

The exact match: $HTTPremoteip == "::ffff:127.0.0.1" does work indicating that the ipv6 mess at the front is causing the problem.

This problem seems to go away when lighttpd is bound to an interface with no ipv6 address associated with it.

-- dandy


Files

remoteip-v6 (3.66 KB) remoteip-v6 patch fo allow $HTTP[remoteip] compares to v6 and v6-mapped v4 addresses ef, 2015-11-26 11:01

Related issues 1 (0 open1 closed)

Related to Feature #2706: Matching IPv6 addresses with $HTTP["remoteip"]Fixed2016-01-19Actions
Actions #1

Updated by rm over 16 years ago

This seems to prevent matching of remote ip's via subnet.

For simple cases (i.e. /24, /16 or /8) the subnet matching can be simulated using a regexp instead:

$HTTPremoteip =~ "^(192\.168\.0\.)" {

...this will match 192.168.0.*, basically a /24 network.

Actions #2

Updated by stbuehler over 16 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

On some systems enabling ipv6 and binding to ANY means that ipv4 requests are mapped to ipv6, and there is no ipv6 subnet matching. not unexpected.

Actions #3

Updated by stbuehler about 16 years ago

  • Status changed from Fixed to Invalid
Actions #4

Updated by ef about 9 years ago

I wrote a patch that enables $HTTP[remoteip] comparisons for IPv6 addresses.
It will also compare a remote v6-mapped v4 address to a v4 address in dotted-quad notation.

Actions #5

Updated by stbuehler almost 9 years ago

  • Description updated (diff)

ef wrote:

I wrote a patch that enables $HTTP[remoteip] comparisons for IPv6 addresses.
It will also compare a remote v6-mapped v4 address to a v4 address in dotted-quad notation.

Hi, sorry it took me so long to respond. Please open a new issue for this, and I'd like to get rid of the v6-mapped v4 address matching part. Our preferred configuration is to use bindv6only, and not doing any magic (see IPv6-Config).

Actions #7

Updated by stbuehler almost 9 years ago

  • Related to Feature #2706: Matching IPv6 addresses with $HTTP["remoteip"] added
Actions

Also available in: Atom