|Handling insignificant zeroes in IP address|
Hi, the question for today is: while two IP addresses with only difference in insignificant zero(-es) (like 126.96.36.199 and 056.223.112.001) do address the same site, should I respect this difference when constructing mantras to match all these possible cases?
More specifically, does a .htaccess'
deny from 188.8.131.52
prevent incoming 080.000.00.008 (the same address)?
Or should I write:
deny from 0?80.0*.0*.0*8 (dots are not escaped here, this is
to clarify the idea only)
A quick test seemed to reveal the answer. I put this in my htaccess:
Require ip 127.000.000.001
(This is Apache 2.4 syntax, but you should be able to do the same test on your own server.)
For me, this worked just fine, which means Apache knows how to normalize an IP address.
- Alas, I have no server at hand, my daughter occupied it. Yes, your example is OK, but this is an example only. What about the rule?
Even more interesting to me - as we all know, the foundation of a IP address is an integer number. Do you see any possibility to compare IP addresses as integer numbers? Not char strings, but integer numbers? It would be fine to allow or ban some range of IP addr. using not string's notation, but number's.
DO NOT use Regular Expressions in your mod_authz directives. If you do, everything will switch over from raw-text to interpret-and-analyze mode. (These are not the technical terms. I can look it up if you need to know and can't find it on your own.) This, in turn, will play havoc with the format of your logs. It also makes the server do more work.
|dots are not escaped here, this is to clarify the idea only |
Whew! I'm glad you said this, because the combination of Regular Expression and unescaped dots would otherwise lead to, er, I think "unintended consequences" is the ordinary euphemism.
Yes, omit any leading zeros. They are not normally used.
Can I hope that your example was itself for-illustration-purposes only? In real life it is very rare to ban a specific IP down to the last digit. Normally you'd look up its address block and ban the whole thing, ending in /18 or /15 or what-have-you (can be truncated with multiples of 8).
Thank you! Yes, the examples are from a htaccess manual, this is no my improvisation, at least the last IP. Sorry.
My example with "mod_authz directives" was a raw one. In reality I don't use regesps there.
The essence of my question is rather different.
Let's imagine the incoming IP addresses are processed as numbers, which, in essence, they are.
Then the question of leading zeroes would be insignificant. The regexps would be of little need then.
But while the IP addresses are processed as char strings, I should take them into consideration:(
You mention "They are not normally used" about leading zeroes. But this means the server can get those zeroes sometimes. By the way, I've already met some lists of IP addresses with leading zeroes.
So what about the opportunity to compare IP addresses alike decent integer numbers are processed?
May be some another server (Nginx?) possesses this opportunity?
|So what about the opportunity to compare IP addresses alike decent integer numbers are processed? |
i don't understand this question.
this IETF document may be informative, specifically the "Early Practice" and "Recommendations" sections.
Textual Representation of IPv4 and IPv6 Addresses:
I assumed he meant ranges, like => 96 and <128. But generally IP numbers fall into CIDR ranges, which have already done the work for you.
was absent some time.
No, this is not CIDR. I'll try to explain by an example:
Each IPv4 address consists of four values from the range [0,255] :
where 0<= a,b,c,d <=255
Such address is an equivalent to an integer number N, less than 2^32:
N = d + 256(c + 256(b + 256*a))
You can even change IP address in a browser address field with this number and the result will be the same.
Such number can be compared with any other number of the same kind with only 1 command of a 32bit processor.
For example, you can simply write in C or Python (or PHP, with $):
if N < 13595379
if N >= 33765427
- that's all. Very simple, very-very-very fast (ONE machine command!).
When you use ordinary IP form, even if you don't use regexps, the same comparison will be very time-consuming (~10 times slower), and in the case of regexps even more slower (~100 times), and not at all obvious.
Hence the question.