NaviServer Built-in Commands – 5.1.0
ns_ip - Determine properties of IP addresses in the current configuration
The command ns_ip is used to determine certain properties of IP addresses. It accepts as input IPv4 or IPv6 addresses and checks, for example, whether the address is valid, whether the IP is a public or trusted IP address, or whether it is in the range of a subnet specification in CIDR notation. https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Determines whether the provided IP address is an "any" (unspecified) address. For IPv4, this is equivalent to INADDR_ANY (typically 0.0.0.0; for IPv6, it corresponds to in6addr_any (an all-zero address, ::). The command returns a boolean value.
ns_ip inany 0.0.0.0 # Expected result: 1 (true) ns_ip inany 192.168.1.100 # Expected result: 0 (false) ns_ip inany :: # Expected result: 1 (true) for an unspecified IPv6 address
Validates the provided cidr (subnet) specification (IPv4 or IPv6 address followed by a slash and prefix length) and the provided ipaddr, and tests whether the IP address is contained in the specified range. The command returns a boolean value.
IPv4 and IPv6 are normally treated as distinct address families. However, IPv4-mapped IPv6 addresses of the form ::ffff:a.b.c.d are treated as equivalent to their IPv4 counterparts. Therefore, comparisons between IPv4 and IPv4-mapped IPv6 addresses succeed when the embedded IPv4 address matches.
For CIDR specifications using IPv4-mapped IPv6 addresses with prefix lengths in the range 96..128, the prefix is interpreted as an IPv4 prefix (i.e., the effective prefix length is reduced by 96). This allows symmetric matching between IPv4 and IPv4-mapped IPv6 CIDRs.
For all other mixed-family comparisons (e.g., native IPv6 vs IPv4), the result is false.
Returns a dict with the members "trusted", "public", and "type" for the provided ipaddr.
Tests whether the provided ipaddr is a public IP address, i.e., reachable from the public Internet. This excludes loopback, private, link-local, and other non-public address ranges.
IPv4-mapped IPv6 addresses (of the form ::ffff:a.b.c.d) are evaluated based on their embedded IPv4 address. For example, ::ffff:127.0.0.1 is treated as loopback and therefore not public, while ::ffff:137.208.116.31 is treated as a public IPv4 address.
Tests if the provided ipaddr was defined as a trusted IP address for an upstream reverse proxy server in the used configuration file. This is important for running behind a reverse proxy server.
Tests if the provided ipaddr is a valid IP address. With the optional ?-type? argument the result can be constraint further to check, if the address is an IPv4 or an IPv6 address.
% ns_ip match 137.208.0.0/16 137.208.116.31 1 % ns_ip match 137.208.0.0/16 112.207.16.33 0 % ns_ip match 2001:628:404:74::31/64 [ns_conn peeraddr] ... # Is IP address a valid IPv6 address? % set ip [ns_conn peeraddr] % ns_ip valid -type ipv6 $ip % ns_ip match ::/0 $ip % string equal IPv6 [dict get [ns_ip properties $ip] type] # Is IP address a valid IPv4 address? % ns_ip valid -type ipv4 $ip % ns_ip match 0.0.0.0/0 $ip % string equal IPv4 [dict get [ns_ip properties $ip] type] # IPv4-mapped IPv6 addresses are classified by their embedded IPv4 address: % ns_ip public ::ffff:127.0.0.1 0 % ns_ip public ::ffff:137.208.116.31 1
ns_section ns/parameters/reverseproxymode {
ns_param enabled 1
#
# Define some address ranges of cloudflare as trusted sources
# for the "x-forwarded-for" header field.
#
ns_param trustedservers {
103.21.244.0/22
104.24.0.0/14
2400:cb00::/32
2606:4700::/32
}
# ....
}