I'm trying to configure apache 2.4 to show nice error pages to external users 
of our web site, while allowing staff to see the real error.   The idea is to 
prevent exposing privileged information to the general public while allowing 
our staff to more easily debug issues on our production web site.   To 
accomplish this I am using a combination of ErrorDocument within an If 
statement that evaluates the header X-Real-IP which is the IP address of the 
client on my server.

This seems to work, until I nest the If statements to catch all the IP ranges 
that I am interested in.

For example...
<If  "! %{HTTP:X-Real-IP}  -ipmatch '172.28.1.84/32' ">
  ErrorDocument 404 /errors/404
</If>
will correctly show the nice 404 page for a user coming from 172.28.1.84.

Using this, the same user coming from 172.28.1.84 sees the nice error page.
<If  "! %{HTTP:X-Real-IP}  -ipmatch '127.0.0.0/8' ">
  ErrorDocument 404 /errors/404
</If>

Simmilarly the same user gets the nice error page when this code is used.
<If  "! %{HTTP:X-Real-IP}  -ipmatch '192.168.0.0/16' ">
  ErrorDocument 404 /errors/404
</If>

The problem comes when I combine these 2 so that all users except those coming 
from 127.*.*.* or 192.168.*.* see the nice error page.
<If  "! %{HTTP:X-Real-IP}  -ipmatch '127.0.0.0/8' ">
  <If  "! %{HTTP:X-Real-IP}  -ipmatch '192.168.0.0/16' ">
    ErrorDocument 404 /errors/404
  </If>
</If>
The user from 172.28.1.84 does not get the nice 404 page, but the default 404 
page.   The IP does not match either of the ranges as observed when using the 
ranges individually, but when combined in this way it does not work as expected.

Any ideas why this is?

Mike Schlottman
Sr. Infrastructure Architect
Society of Petroleum Engineers
222 Palisades Creek Drive
Richardson, TX 75080

Reply via email to