homepage Welcome to WebmasterWorld Guest from 50.19.169.37
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Handling insignificant zeroes in IP address
insignificant zeroes
NoIdea




msg:4569667
 1:56 pm on May 1, 2013 (gmt 0)

Hi, the question for today is: while two IP addresses with only difference in insignificant zero(-es) (like 56.223.112.1 and 056.223.112.001) do address the same site, should I respect this difference when constructing mantras to match all these possible cases?
More specifically, does a .htaccess'

deny from 80.0.0.8

prevent incoming 080.000.00.008 (the same address)?
Or should I write:

deny from 0?80.0*.0*.0*8 (dots are not escaped here, this is

to clarify the idea only)

 

Dideved




msg:4569680
 2:22 pm on May 1, 2013 (gmt 0)

A quick test seemed to reveal the answer. I put this in my htaccess:

Require ip 127.000.000.001

(This is Apache 2.4 syntax, but you should be able to do the same test on your own server.)

For me, this worked just fine, which means Apache knows how to normalize an IP address.

NoIdea




msg:4569683
 3:00 pm on May 1, 2013 (gmt 0)

- Alas, I have no server at hand, my daughter occupied it. Yes, your example is OK, but this is an example only. What about the rule?
Even more interesting to me - as we all know, the foundation of a IP address is an integer number. Do you see any possibility to compare IP addresses as integer numbers? Not char strings, but integer numbers? It would be fine to allow or ban some range of IP addr. using not string's notation, but number's.

lucy24




msg:4569735
 6:42 pm on May 1, 2013 (gmt 0)

DO NOT use Regular Expressions in your mod_authz directives. If you do, everything will switch over from raw-text to interpret-and-analyze mode. (These are not the technical terms. I can look it up if you need to know and can't find it on your own.) This, in turn, will play havoc with the format of your logs. It also makes the server do more work.

dots are not escaped here, this is to clarify the idea only

Whew! I'm glad you said this, because the combination of Regular Expression and unescaped dots would otherwise lead to, er, I think "unintended consequences" is the ordinary euphemism.

Yes, omit any leading zeros. They are not normally used.

Can I hope that your example was itself for-illustration-purposes only? In real life it is very rare to ban a specific IP down to the last digit. Normally you'd look up its address block and ban the whole thing, ending in /18 or /15 or what-have-you (can be truncated with multiples of 8).

NoIdea




msg:4569742
 7:07 pm on May 1, 2013 (gmt 0)

Thank you! Yes, the examples are from a htaccess manual, this is no my improvisation, at least the last IP. Sorry.

NoIdea




msg:4569770
 9:16 pm on May 1, 2013 (gmt 0)

My example with "mod_authz directives" was a raw one. In reality I don't use regesps there.
The essence of my question is rather different.
Let's imagine the incoming IP addresses are processed as numbers, which, in essence, they are.
Then the question of leading zeroes would be insignificant. The regexps would be of little need then.
But while the IP addresses are processed as char strings, I should take them into consideration:(
You mention "They are not normally used" about leading zeroes. But this means the server can get those zeroes sometimes. By the way, I've already met some lists of IP addresses with leading zeroes.
So what about the opportunity to compare IP addresses alike decent integer numbers are processed?

NoIdea




msg:4569776
 9:50 pm on May 1, 2013 (gmt 0)

May be some another server (Nginx?) possesses this opportunity?

phranque




msg:4570253
 7:38 am on May 3, 2013 (gmt 0)

So what about the opportunity to compare IP addresses alike decent integer numbers are processed?


i don't understand this question.


this IETF document may be informative, specifically the "Early Practice" and "Recommendations" sections.

Textual Representation of IPv4 and IPv6 Addresses:
http://tools.ietf.org/html/draft-main-ipaddr-text-rep-02 [tools.ietf.org]

lucy24




msg:4570302
 8:50 am on May 3, 2013 (gmt 0)

I assumed he meant ranges, like => 96 and <128. But generally IP numbers fall into CIDR ranges, which have already done the work for you.

NoIdea




msg:4574550
 10:32 pm on May 15, 2013 (gmt 0)

Hi,
was absent some time.
No, this is not CIDR. I'll try to explain by an example:
Each IPv4 address consists of four values from the range [0,255] :

IP: a.b.c.d
where 0<= a,b,c,d <=255

Such address is an equivalent to an integer number N, less than 2^32:

N = d + 256(c + 256(b + 256*a))

You can even change IP address in a browser address field with this number and the result will be the same.

Such number can be compared with any other number of the same kind with only 1 command of a 32bit processor.
For example, you can simply write in C or Python (or PHP, with $):
if N < 13595379
or
if N >= 33765427

- that's all. Very simple, very-very-very fast (ONE machine command!).

When you use ordinary IP form, even if you don't use regexps, the same comparison will be very time-consuming (~10 times slower), and in the case of regexps even more slower (~100 times), and not at all obvious.

Hence the question.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved