Project

General

Profile

Actions
Copy link

Bug #385

closed

Enabling ipv6 makes matching subnets with $HTTP["remoteip"] inoperable.

Added by Anonymous over 18 years ago. Updated about 8 years ago.

Status:
Invalid
Priority:
Normal
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:

Description

When ipv6 is enabled, clients connecting via an ipv4 address are recorded in the accesslog with a ::ffff: in front of the ipv4 address. Here is an example line from my accesslog:
::ffff:147.210.96.15 - - -0800 "GET /linux/core/4/i386/os/repodata/repomd.xml HTTP/1.1" 200 1140 "-" "urlgrabber/2.9.6"

This seems to prevent matching of remote ip's via subnet. If I do:
$HTTPremoteip "127.0.0.1/8"
I never get a match, even from addresses from within that range.

Similarly, $HTTPremoteip "::ffff:127.0.0.1/8" also doesnt work.

The exact match: $HTTPremoteip == "::ffff:127.0.0.1" does work indicating that the ipv6 mess at the front is causing the problem.

This problem seems to go away when lighttpd is bound to an interface with no ipv6 address associated with it.

-- dandy

Files

remoteip-v6 (3.66 KB) remoteip-v6 patch fo allow $HTTP[remoteip] compares to v6 and v6-mapped v4 addresses ef, 2015-11-26 11:01

Related issues 1 (0 open1 closed)

Related to Feature #2706: Matching IPv6 addresses with $HTTP["remoteip"]Fixed2016-01-19Actions
Actions
Copy link
 #1

Updated by rm over 15 years ago

This seems to prevent matching of remote ip's via subnet.

For simple cases (i.e. /24, /16 or /8) the subnet matching can be simulated using a regexp instead:

$HTTPremoteip =~ "^(192\.168\.0\.)" {

...this will match 192.168.0.*, basically a /24 network.

Actions
Copy link
 #2

Updated by stbuehler over 15 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

On some systems enabling ipv6 and binding to ANY means that ipv4 requests are mapped to ipv6, and there is no ipv6 subnet matching. not unexpected.

Actions
Copy link
 #3

Updated by stbuehler over 15 years ago

  • Status changed from Fixed to Invalid
Actions
Copy link
 #4

Updated by ef over 8 years ago

I wrote a patch that enables $HTTP[remoteip] comparisons for IPv6 addresses.
It will also compare a remote v6-mapped v4 address to a v4 address in dotted-quad notation.

Actions
Copy link
 #5

Updated by stbuehler over 8 years ago

  • Description updated (diff)

ef wrote:

I wrote a patch that enables $HTTP[remoteip] comparisons for IPv6 addresses.
It will also compare a remote v6-mapped v4 address to a v4 address in dotted-quad notation.

Hi, sorry it took me so long to respond. Please open a new issue for this, and I'd like to get rid of the v6-mapped v4 address matching part. Our preferred configuration is to use bindv6only, and not doing any magic (see IPv6-Config).

Actions
Copy link
 #7

Updated by stbuehler about 8 years ago

  • Related to Feature #2706: Matching IPv6 addresses with $HTTP["remoteip"] added
Actions
Copy link

Also available in: Atom