mod_maxmindb: How to set MMDB_ADDR value using X-Forwarded-For (with comma separated value) header

[sujeet-singh]

Hi,

I am looking for some help related to maxmind apache module. We are using Apache Module with Maxmind DB's commercial License.

Thanks for the good documentation.

Problem I am facing:

If MMDB_ADDR env variable has value something like this: "165.225.81.57, 49.36.141.81". I am getting error "invalid IP or service unknown". Please help me with the transformation of x-forwarded-for header having the above value to "165.225.81.57". I have tried multiple things. nothing seem to work.

If X-Forwarded-For header has single value like "165.225.81.57". Things are working fine.

I am using ModSecurity's SecRule to set mmdb_addr.

mod_remoteip can't be used since RemoteIPHeader modifies the x-forwarded-for header which is creating problem in identifying country in internal servers.

Thanks in advance.

[nchelluri]

Hi, thanks for the detailed request.

Can you provide an example of how you set the MMDB_ADDR value?

I wonder if something like this would work for you:

SetEnvIf X-Forwarded-For "^([^,]+)" MMDB_ADDR=$1

I believe this will set the MMDB_ADDR env var to the first IP found in X-Forwarded-For.

Let me know how it goes!

[sujeet-singh]

Thanks for the quick reply.

I was using the below mod security rule:

<IfModule mod_security2.c>
        SecRuleEngine On
        SecRequestBodyAccess On
        SecRule REQUEST_HEADERS:x-forwarded-for "@rx ^[\.0-9]*" "phase:1,nolog,id:200009,setenv:'MMDB_ADDR=%{MATCHED_VAR}',msg:'MMDB_ADDR=%{MATCHED_VAR}'"
</IfModule>

I have tried what you have suggested. Its not working.

But, the documentation says MMDB_ADDR can't be set using SetEnvIf. Correct me If I am wrong.

[nchelluri]

Sorry, I don't know Apache or this module very well. I was hoping that would work.

So I'm not very familar with mod_security2 either :)

But I think that MATCHED_VAR captures the whole header, I wonder if you can do something like

        SecRule REQUEST_HEADERS:x-forwarded-for "@rx ^([^,]*)" "phase:1,nolog,id:200009,setenv:'MMDB_ADDR=%{TX.1}',msg:'MMDB_ADDR=%{TX.1}'"

instead and it will work? The aim I'm going for is to capture the first IP (everything up to the first comma, which should match IPv4 as well as IPv6) and then put it into the MMDB_ADDR var.

[sujeet-singh]

You are right about MATCHED_VAR.

Getting below message in audit log: for the header having x-forwarded-for as 165.225.81.57, 49.36.141.81 [msg "MMDB_ADDR="]

[nchelluri]

Sorry, can't be of much more help because I haven't the environment in from of me to debug. It seems to me that the SecRule I specified should be working, but I've never worked with ModSecurity before. I wonder about the following:

1. Does the header name actually get matched? Is it case sensitive? If not, that'd explain things... Maybe try X-Forwarded-For instead?
2. Does the env var get set? And can we re-use TX? I think so.

[sujeet-singh]

1. Does the header name actually get matched? Is it case sensitive? If not, that'd explain things... Maybe try X-Forwarded-For instead? _SecRule with MATCHED_VAR is working when x-forwarded-for has only one IP address in it. Problem begins when proxy addresses are also available in the header._
2. Does the env var get set? And can we re-use TX? I think so. No env var isnt getting set. Something we are missing here. Let me check this further.

Anyways thanks for the help.

[sujeet-singh]

Thanks @nchelluri for putting me in right direction.

With what you have suggested and ModSecurity documentation, I identified the issue.

Below rule solves the problem. Missing part was capture action in ur suggested SecRule

  SecRule REQUEST_HEADERS:x-forwarded-for "@rx ^([^,]*)" "phase:1,capture,nolog,id:200009,setenv:'MMDB_ADDR=%{tx.1}',msg:'MMDB_ADDR=%{tx.1}'"

[nchelluri]

Great to hear!