I have an interesting problem. My company is hosting a small application server for a client, and they want to restrict access to only a few IPs. The client is a large company with many divisions, and each division has their own networking structure.

I won’t go into the details, but because of my company’s internal structure for web servers, we can’t use the conventional allow,deny syntax in Apache. We have load balancers which forward to web servers which then forward to the application server itself. Instead, we use something like the following in our Apache configurations:

RewriteCond %{HTTP:X-Forwarded-For} !^213.212.45.54

We make use of the X-Forwarded-For header to match external IPs. The problem is that one of our client’s divisions (call it division A) has their Internet setup to go through an internal proxy. Their internal proxy forwards the workstation IP of each user to our web server. This means that the X-Forwarded-For header for those users looks something like this:

10.123.16.23, 213.212.45.54, 172.20.162.2

The 10 address is the workstation IP of each user in their network, the 213 is the WAN IP of that division, and the 172 is my company’s load balancer.

My company has confirmed that if we add the workstation IP of a user to the Apache configuration, they are able to access the page without problem. However, to add every single IP would be tedious.

Is there a way to tell Apache to only pay attention to the middle IP (the WAN IP) using regular expressions? Or is there a better way to configure Apache?