I'm trying to configure apache 2.4 to show nice error pages to external users
of our web site, while allowing staff to see the real error. The idea is to
prevent exposing privileged information to the general public while allowing
our staff to more easily debug issues on our production web site. To
accomplish this I am using a combination of ErrorDocument within an If
statement that evaluates the header X-Real-IP which is the IP address of the
client on my server.
This seems to work, until I nest the If statements to catch all the IP ranges
that I am interested in.
For example...
<If "! %{HTTP:X-Real-IP} -ipmatch '172.28.1.84/32' ">
ErrorDocument 404 /errors/404
</If>
will correctly show the nice 404 page for a user coming from 172.28.1.84.
Using this, the same user coming from 172.28.1.84 sees the nice error page.
<If "! %{HTTP:X-Real-IP} -ipmatch '127.0.0.0/8' ">
ErrorDocument 404 /errors/404
</If>
Simmilarly the same user gets the nice error page when this code is used.
<If "! %{HTTP:X-Real-IP} -ipmatch '192.168.0.0/16' ">
ErrorDocument 404 /errors/404
</If>
The problem comes when I combine these 2 so that all users except those coming
from 127.*.*.* or 192.168.*.* see the nice error page.
<If "! %{HTTP:X-Real-IP} -ipmatch '127.0.0.0/8' ">
<If "! %{HTTP:X-Real-IP} -ipmatch '192.168.0.0/16' ">
ErrorDocument 404 /errors/404
</If>
</If>
The user from 172.28.1.84 does not get the nice 404 page, but the default 404
page. The IP does not match either of the ranges as observed when using the
ranges individually, but when combined in this way it does not work as expected.
Any ideas why this is?
Mike Schlottman
Sr. Infrastructure Architect
Society of Petroleum Engineers
222 Palisades Creek Drive
Richardson, TX 75080
