The question mod_security with OWASP CRS: Custom rule for whitelisting googlebot provides the following rule as the answer to verify the client’s DNS:
SecRule REMOTE_HOST “@rx google(bot|)\.com$” “id:50000,nolog,allow”
This rule was meant to be used on ModSecurity with Apache and required the directive
HostnameLookups On configured on Apache. The MODSECURITY HANDBOOK says:
If the Apache directive HostnameLookups is set to On, then this variable will hold the remote hostname resolved through DNS.
If the directive is set to Off, this variable will hold the remote IP
address (same as REMOTE_ADDR). Possible uses for this variable include
denying known bad client hosts or network blocks or, conversely,
allowing authorized hosts in.
When using Nginx as reverse proxy without Apache is there a way to make
REMOTE_HOST return the hostname resolved through DNS?
The remote IP address is already in the nginx variable
$remote_addr and the ModSecurity variable
REMOTE_ADDR. The reference manual says:
This variable holds the IP address of the remote client.
SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35"
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.