Using an front-end proxy

[angelos]

Hello,

I'm using a reverse proxy in front off my web servers which all are running ASL.
the proxy server redirect all client traffic to the web servers with his own IP address. So on the web servers the IP address that is hitting the web servers is always the proxy servers IP address.
I'm adding the x-forwarder header so the logging in Apache is just fine. But can i tell ASL that i am using a proxy server in front. Because now i have to white-list the IP address of the proxy server to get it working, else where there is an attack of some kind the IP address is blocked.

thank you for your insights ...

[scott]

Yeah check out mod_rpaf (available from the atomic repo, among others). Its designed to solve this exact problem

[prupert]

Apache 2.2 (CentOS 6 stock) with mod_rpaf (Atomic):

https://github.com/gnif/mod_rpaf

Code: Select all

<IfModule mod_rpaf.c>
  # Apache 2.2 with extra module
  RPAF_Enable       On
  # Only set the real IP from trusted proxies 
  RPAF_ProxyIPs     127.0.0.1
  RPAF_Header       X-Forwarded-For
  # Do not further modify context (for standardized behaviour across Nginx 1.6, Varnish 4,
  # Apache 2.2/2.4) and do not so easily trust other X-Forwarded-* headers.
  RPAF_SetHostName  Off
  RPAF_SetHTTPS     Off
  RPAF_SetPort      Off
</IfModule>

Apache httpd 2.4 with mod_remoteip (CentOS 7 stock):

http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

Code: Select all

<IfModule mod_remoteip.c>
  # Apache 2.4 stock
  RemoteIPHeader X-Forwarded-For
  # Only set the real IP from trusted proxies AND refuse X-Forwarded-For values in the
  # local and private IP range (RemoteIPTrustedProxy vs. RemoteIPInternalProxy)
  RemoteIPTrustedProxy 127.0.0.1
</IfModule>

Nginx (EPEL 6/7):

http://nginx.org/en/docs/http/ngx_http_ ... odule.html

Code: Select all

# Set real IP from proxy server
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;