On Mon, Feb 24, 2025 at 1:35 PM Tony Olekshy <apa...@olekshy.net> wrote:
> Our Apache httpd.conf is configured to include these lines for
> blocking requests from a list of IP addresses without logging
> them — in this order and mixed with other lines — yet some such
> requests are logged anyway:
>
> CustomLog logs/access_log combined env=!DontLogIt
>
> <VirtualHost *:80>
>
> RewriteMap ipb "prg:/some-path/ip-block/filter"
> RewriteCond ${ipb:%{REMOTE_ADDR}/%{HTTP_HOST}} X
> RewriteRule ^ - [F,L,E=DontLogIt]
>
> That ip-block/filter program writes to stdout, for each case of
> request data Apache sends to its stdin, whether the request IP
> address is on a block list, and this configuration successfully
> blocks almost all the requests from those IP addresses — without
> logging them.
>
> However, some requests, such as the following, remain logged by
> Apache even when they are from IP addresses in the block list,
> and regardless of whether we have LogLevel set to info or warn:
>
> /file%3a/////etc%2fpasswd%00
> /%0d%0aSet-Cookie:crlfinjection=1;
> /cgi-bin.%2e/.%2e/.%2e/.%2e/bin/sh
> //%2f..=%5c..=%5c..=%5cetc%5cpasswd%00
>
> Why is that happening, and what can we do to prevent logging of
> those requests too, when they arrive from a blocked IP address?
>
> Sincerely Yours
> Tony Olekshy
> apa...@olekshy.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Tony,
An IP block should not have issues with URL encoding - can you provide your
vhost configuration?
