Apache `SetEnvIf` and duplicated headers

Question

We are using this kind of configuration to grant access to one of our sites

    <LocationMatch "/*">
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        SetEnvIf X-Forwarded-For "(,| |^)192\.168\." WhiteIP
        SetEnvIf X-Forwarded-For "(,| |^)172\.(1[6-9]|2\d|3[0-1])\." WhiteIP
        SetEnvIf X-Forwarded-For "(,| |^)10\." WhiteIP
        Allow from env=WhiteIP
    </LocationMatch>

Indeed, there is another reverse proxy in front of this Apache server so all clients will have the header.

Problem is sometimes client have others proxies on their side and the X-Forwarded-For Header wil be either duplicated or concatenated. We handle the concatenation correctly with the (,| |^) regexp trick, but the problem is that Apache seems to run the SetEnvIf only against the first occurrence of the Header.

Documentation is unclear about this behavior. Any idea on how to handle this kind of case ? (note: we cannot control how our reverse proxy works, only Apache) Could that be qualified as a bug ? I couldn't find the right way to ask google about this and found no result. I've also tried digging into the mod_setenvif's code but that's out of my league.

Precision : CentOS 6, Apache 2.2.15 latest patch version

Answer 1

If SetEnvIf sees regex-like characters in the first argument, it will go into a mode where it iterates over all headers that match the regex until there's a match.

You could use this by specifying ^X-Forwarded-For$ which would iterate over the multiple occurrences of this 1 header.

This is a workaround for the longstanding behavior of how many modules treat multiple occurrences. This should be documented better as a module-specific solution.