Project

General

Profile

Bug #385

closed

Enabling ipv6 makes matching subnets with $HTTP["remoteip"] inoperable.

Added by Anonymous almost 15 years ago. Updated over 4 years ago.

Status:
Invalid
Priority:
Normal
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:

Description

When ipv6 is enabled, clients connecting via an ipv4 address are recorded in the accesslog with a ::ffff: in front of the ipv4 address. Here is an example line from my accesslog:
::ffff:147.210.96.15 - - -0800 "GET /linux/core/4/i386/os/repodata/repomd.xml HTTP/1.1" 200 1140 "-" "urlgrabber/2.9.6"

This seems to prevent matching of remote ip's via subnet. If I do:
$HTTPremoteip "127.0.0.1/8"
I never get a match, even from addresses from within that range.

Similarly, $HTTPremoteip "::ffff:127.0.0.1/8" also doesnt work.

The exact match: $HTTPremoteip == "::ffff:127.0.0.1" does work indicating that the ipv6 mess at the front is causing the problem.

This problem seems to go away when lighttpd is bound to an interface with no ipv6 address associated with it.

-- dandy


Files

remoteip-v6 (3.66 KB) remoteip-v6 patch fo allow $HTTP[remoteip] compares to v6 and v6-mapped v4 addresses ef, 2015-11-26 11:01

Related issues

Related to Feature #2706: Matching IPv6 addresses with $HTTP["remoteip"]Fixed2016-01-19Actions
#1

Updated by rm about 12 years ago

This seems to prevent matching of remote ip's via subnet.

For simple cases (i.e. /24, /16 or /8) the subnet matching can be simulated using a regexp instead:

$HTTPremoteip =~ "^(192\.168\.0\.)" {

...this will match 192.168.0.*, basically a /24 network.

#2

Updated by stbuehler about 12 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

On some systems enabling ipv6 and binding to ANY means that ipv4 requests are mapped to ipv6, and there is no ipv6 subnet matching. not unexpected.

#3

Updated by stbuehler almost 12 years ago

  • Status changed from Fixed to Invalid
#4

Updated by ef almost 5 years ago

I wrote a patch that enables $HTTP[remoteip] comparisons for IPv6 addresses.
It will also compare a remote v6-mapped v4 address to a v4 address in dotted-quad notation.

#5

Updated by stbuehler almost 5 years ago

  • Description updated (diff)

ef wrote:

I wrote a patch that enables $HTTP[remoteip] comparisons for IPv6 addresses.
It will also compare a remote v6-mapped v4 address to a v4 address in dotted-quad notation.

Hi, sorry it took me so long to respond. Please open a new issue for this, and I'd like to get rid of the v6-mapped v4 address matching part. Our preferred configuration is to use bindv6only, and not doing any magic (see IPv6-Config).

#7

Updated by stbuehler over 4 years ago

  • Related to Feature #2706: Matching IPv6 addresses with $HTTP["remoteip"] added

Also available in: Atom