Hello,
I'm using a reverse proxy in front off my web servers which all are running ASL.
the proxy server redirect all client traffic to the web servers with his own IP address. So on the web servers the IP address that is hitting the web servers is always the proxy servers IP address.
I'm adding the x-forwarder header so the logging in Apache is just fine. But can i tell ASL that i am using a proxy server in front. Because now i have to white-list the IP address of the proxy server to get it working, else where there is an attack of some kind the IP address is blocked.
thank you for your insights ...
Using an front-end proxy
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Using an front-end proxy
Yeah check out mod_rpaf (available from the atomic repo, among others). Its designed to solve this exact problem
Re: Using an front-end proxy
Apache 2.2 (CentOS 6 stock) with mod_rpaf (Atomic):
https://github.com/gnif/mod_rpaf
Apache httpd 2.4 with mod_remoteip (CentOS 7 stock):
http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
Nginx (EPEL 6/7):
http://nginx.org/en/docs/http/ngx_http_ ... odule.html
https://github.com/gnif/mod_rpaf
Code: Select all
<IfModule mod_rpaf.c>
# Apache 2.2 with extra module
RPAF_Enable On
# Only set the real IP from trusted proxies
RPAF_ProxyIPs 127.0.0.1
RPAF_Header X-Forwarded-For
# Do not further modify context (for standardized behaviour across Nginx 1.6, Varnish 4,
# Apache 2.2/2.4) and do not so easily trust other X-Forwarded-* headers.
RPAF_SetHostName Off
RPAF_SetHTTPS Off
RPAF_SetPort Off
</IfModule>
http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
Code: Select all
<IfModule mod_remoteip.c>
# Apache 2.4 stock
RemoteIPHeader X-Forwarded-For
# Only set the real IP from trusted proxies AND refuse X-Forwarded-For values in the
# local and private IP range (RemoteIPTrustedProxy vs. RemoteIPInternalProxy)
RemoteIPTrustedProxy 127.0.0.1
</IfModule>
http://nginx.org/en/docs/http/ngx_http_ ... odule.html
Code: Select all
# Set real IP from proxy server
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
Lemonbit Internet Dedicated Server Management