Using an front-end proxy

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
angelos
Forum User
Forum User
Posts: 14
Joined: Mon Dec 11, 2006 1:51 pm

Using an front-end proxy

Unread post by angelos »

Hello,

I'm using a reverse proxy in front off my web servers which all are running ASL.
the proxy server redirect all client traffic to the web servers with his own IP address. So on the web servers the IP address that is hitting the web servers is always the proxy servers IP address.
I'm adding the x-forwarder header so the logging in Apache is just fine. But can i tell ASL that i am using a proxy server in front. Because now i have to white-list the IP address of the proxy server to get it working, else where there is an attack of some kind the IP address is blocked.

thank you for your insights ...
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Using an front-end proxy

Unread post by scott »

Yeah check out mod_rpaf (available from the atomic repo, among others). Its designed to solve this exact problem
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Using an front-end proxy

Unread post by prupert »

Apache 2.2 (CentOS 6 stock) with mod_rpaf (Atomic):

https://github.com/gnif/mod_rpaf

Code: Select all

<IfModule mod_rpaf.c>
  # Apache 2.2 with extra module
  RPAF_Enable       On
  # Only set the real IP from trusted proxies 
  RPAF_ProxyIPs     127.0.0.1
  RPAF_Header       X-Forwarded-For
  # Do not further modify context (for standardized behaviour across Nginx 1.6, Varnish 4,
  # Apache 2.2/2.4) and do not so easily trust other X-Forwarded-* headers.
  RPAF_SetHostName  Off
  RPAF_SetHTTPS     Off
  RPAF_SetPort      Off
</IfModule>
Apache httpd 2.4 with mod_remoteip (CentOS 7 stock):

http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

Code: Select all

<IfModule mod_remoteip.c>
  # Apache 2.4 stock
  RemoteIPHeader X-Forwarded-For
  # Only set the real IP from trusted proxies AND refuse X-Forwarded-For values in the
  # local and private IP range (RemoteIPTrustedProxy vs. RemoteIPInternalProxy)
  RemoteIPTrustedProxy 127.0.0.1
</IfModule>
Nginx (EPEL 6/7):

http://nginx.org/en/docs/http/ngx_http_ ... odule.html

Code: Select all

# Set real IP from proxy server
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
Lemonbit Internet Dedicated Server Management
Post Reply