You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by bapt x <ba...@gmail.com> on 2020/04/24 20:49:09 UTC
[users@httpd] Only allow reverse proxy traffic with mod_remoteip
Hello,
Is there a way to have the same functionality as the directive
DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
I would like to block access to users who try to bypass Cloudflare reverse
proxy (e.g. accessing my web server directly by guessing the IP address).
It looks like iptables is not a solution since I still want to host some
websites without Cloudflare.
If it is currently not possible to do it with mod_remoteip, do you plan to
add the functionality in a future version?
Thanks.
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
I meant a VirtualHost with:
<Location "/">
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
</Location>
On Mon, 27 Apr 2020 at 15:44, baptx <ba...@gmail.com> wrote:
> By the way, I noticed that a VirtualHost with:
> <Location "/>
> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> </Location>
> has a dangerous behaviour that I did not notice directly.
> It made my .htaccess files visible publicly by accessing them in a web
> browser when using the reverse proxy (Cloudflare).
> This also resulted in my private folders requiring HTTP authentication, to
> be accessible publicly since the .htaccess files were not working anymore.
> The issue did not happen when setting the direct server IP address for my
> domain name in the /etc/hosts file of my computer to bypass the reverse
> proxy.
> Do you know why it happened? The other solution using mod_rewrite does not
> have this problem:
> RewriteEngine on
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> RewriteRule ^ - [F]
>
>
> On Sun, 26 Apr 2020 at 10:39, baptx <ba...@gmail.com> wrote:
>
>> Is there a way to display an error with a different message than the 403
>> Forbidden page configured with "ErrorDocument 403"?
>> This would improve the privacy, otherwise if a website displays a 403
>> error on an admin login page restricted by IP address, someone trying to
>> bypass the reverse proxy will see the same error page and could know that a
>> domain name is used on the IP address.
>>
>>
>> On Sat, 25 Apr 2020 at 18:16, baptx <ba...@gmail.com> wrote:
>>
>>> It worked when using Require in a location, thanks!
>>>
>>>
>>> On Sat, 25 Apr 2020 at 13:41, Yann Ylavic <yl...@gmail.com> wrote:
>>>
>>>> On Sat, Apr 25, 2020 at 1:24 PM baptx <ba...@gmail.com> wrote:
>>>> >
>>>> > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR}
>>>> != %{CONN_REMOTE_ADDR}":
>>>> > I want to restrict access on some virtualhosts only because I want to
>>>> use some domain names without Cloudflare.
>>>> > It looks like your previous solution with mod_rewrite is better in my
>>>> case, since Require does not work in virtualhosts (I got the error:
>>>> "Require not allowed in <VirtualHost> context").
>>>>
>>>> Ah yes, correct, it should be enclosed in a location like:
>>>>
>>>> <VirtualHost ...>
>>>> ...
>>>> RemoteIP...
>>>> <Location "/">
>>>> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>>> </Location>
>>>> ...
>>>> </VirtualHost>
>>>>
>>>> >>>
>>>> >>> Thanks Yann, it worked.
>>>>
>>>> Great!
>>>>
>>>> Regards,
>>>> Yann.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
By the way, I noticed that a VirtualHost with:
<Location "/>
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
</Location>
has a dangerous behaviour that I did not notice directly.
It made my .htaccess files visible publicly by accessing them in a web
browser when using the reverse proxy (Cloudflare).
This also resulted in my private folders requiring HTTP authentication, to
be accessible publicly since the .htaccess files were not working anymore.
The issue did not happen when setting the direct server IP address for my
domain name in the /etc/hosts file of my computer to bypass the reverse
proxy.
Do you know why it happened? The other solution using mod_rewrite does not
have this problem:
RewriteEngine on
RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
RewriteRule ^ - [F]
On Sun, 26 Apr 2020 at 10:39, baptx <ba...@gmail.com> wrote:
> Is there a way to display an error with a different message than the 403
> Forbidden page configured with "ErrorDocument 403"?
> This would improve the privacy, otherwise if a website displays a 403
> error on an admin login page restricted by IP address, someone trying to
> bypass the reverse proxy will see the same error page and could know that a
> domain name is used on the IP address.
>
>
> On Sat, 25 Apr 2020 at 18:16, baptx <ba...@gmail.com> wrote:
>
>> It worked when using Require in a location, thanks!
>>
>>
>> On Sat, 25 Apr 2020 at 13:41, Yann Ylavic <yl...@gmail.com> wrote:
>>
>>> On Sat, Apr 25, 2020 at 1:24 PM baptx <ba...@gmail.com> wrote:
>>> >
>>> > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR}
>>> != %{CONN_REMOTE_ADDR}":
>>> > I want to restrict access on some virtualhosts only because I want to
>>> use some domain names without Cloudflare.
>>> > It looks like your previous solution with mod_rewrite is better in my
>>> case, since Require does not work in virtualhosts (I got the error:
>>> "Require not allowed in <VirtualHost> context").
>>>
>>> Ah yes, correct, it should be enclosed in a location like:
>>>
>>> <VirtualHost ...>
>>> ...
>>> RemoteIP...
>>> <Location "/">
>>> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>> </Location>
>>> ...
>>> </VirtualHost>
>>>
>>> >>>
>>> >>> Thanks Yann, it worked.
>>>
>>> Great!
>>>
>>> Regards,
>>> Yann.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
Is there a way to display an error with a different message than the 403
Forbidden page configured with "ErrorDocument 403"?
This would improve the privacy, otherwise if a website displays a 403 error
on an admin login page restricted by IP address, someone trying to bypass
the reverse proxy will see the same error page and could know that a domain
name is used on the IP address.
On Sat, 25 Apr 2020 at 18:16, baptx <ba...@gmail.com> wrote:
> It worked when using Require in a location, thanks!
>
>
> On Sat, 25 Apr 2020 at 13:41, Yann Ylavic <yl...@gmail.com> wrote:
>
>> On Sat, Apr 25, 2020 at 1:24 PM baptx <ba...@gmail.com> wrote:
>> >
>> > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} !=
>> %{CONN_REMOTE_ADDR}":
>> > I want to restrict access on some virtualhosts only because I want to
>> use some domain names without Cloudflare.
>> > It looks like your previous solution with mod_rewrite is better in my
>> case, since Require does not work in virtualhosts (I got the error:
>> "Require not allowed in <VirtualHost> context").
>>
>> Ah yes, correct, it should be enclosed in a location like:
>>
>> <VirtualHost ...>
>> ...
>> RemoteIP...
>> <Location "/">
>> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>> </Location>
>> ...
>> </VirtualHost>
>>
>> >>>
>> >>> Thanks Yann, it worked.
>>
>> Great!
>>
>> Regards,
>> Yann.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
It worked when using Require in a location, thanks!
On Sat, 25 Apr 2020 at 13:41, Yann Ylavic <yl...@gmail.com> wrote:
> On Sat, Apr 25, 2020 at 1:24 PM baptx <ba...@gmail.com> wrote:
> >
> > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} !=
> %{CONN_REMOTE_ADDR}":
> > I want to restrict access on some virtualhosts only because I want to
> use some domain names without Cloudflare.
> > It looks like your previous solution with mod_rewrite is better in my
> case, since Require does not work in virtualhosts (I got the error:
> "Require not allowed in <VirtualHost> context").
>
> Ah yes, correct, it should be enclosed in a location like:
>
> <VirtualHost ...>
> ...
> RemoteIP...
> <Location "/">
> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> </Location>
> ...
> </VirtualHost>
>
> >>>
> >>> Thanks Yann, it worked.
>
> Great!
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by Yann Ylavic <yl...@gmail.com>.
On Sat, Apr 25, 2020 at 1:24 PM baptx <ba...@gmail.com> wrote:
>
> @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}":
> I want to restrict access on some virtualhosts only because I want to use some domain names without Cloudflare.
> It looks like your previous solution with mod_rewrite is better in my case, since Require does not work in virtualhosts (I got the error: "Require not allowed in <VirtualHost> context").
Ah yes, correct, it should be enclosed in a location like:
<VirtualHost ...>
...
RemoteIP...
<Location "/">
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
</Location>
...
</VirtualHost>
>>>
>>> Thanks Yann, it worked.
Great!
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
@Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} !=
%{CONN_REMOTE_ADDR}":
I want to restrict access on some virtualhosts only because I want to use
some domain names without Cloudflare.
It looks like your previous solution with mod_rewrite is better in my case,
since Require does not work in virtualhosts (I got the error: "Require not
allowed in <VirtualHost> context").
On Sat, 25 Apr 2020 at 13:10, baptx <ba...@gmail.com> wrote:
> I meant == instead of != like you corrected.
>
>
> On Sat, 25 Apr 2020 at 13:08, baptx <ba...@gmail.com> wrote:
>
>> Thanks Yann, it worked.
>>
>> I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in
>> /etc/apache2/conf-available/remoteip.conf (from Cloudflare example:
>> https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680
>> ).
>> Then I just had to add this in the virtualhosts that I want to protect:
>> RewriteEngine on
>> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>> RewriteRule ^ - [F]
>>
>> I tested the bypass like that in case someone is interested (the 4
>> commands should return a 403 Forbidden error):
>> curl http://1.2.3.4 -H "Host: correct.tld"
>> curl http://1.2.3.4 -H "Host: wrong.tld"
>> curl -k https://1.2.3.4 -H "Host: correct.tld"
>> curl -k https://1.2.3.4 -H "Host: wrong.tld"
>> Where 1.2.3.4 should be replaced by your server IP address and
>> correct.tld should be replaced by a correct domain name used by your server.
>> The commands try to bypass the reverse proxy both for HTTP and HTTPS.
>> They also try to guess if a domain name is used by the server, by sending a
>> correct and wrong Host header.
>> To prevent someone from finding which domain name is used by your IP
>> address by looking at the 403 Forbidden error page, the virtualhost used by
>> the IP address should not use the same 403 Forbidden error page as the
>> domain name.
>>
>> Baptiste
>>
>>
>> On Sat, 25 Apr 2020 at 00:24, Yann Ylavic <yl...@gmail.com> wrote:
>>
>>> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <yl...@gmail.com>
>>> wrote:
>>> >
>>> > Hi,
>>> >
>>> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <ba...@gmail.com> wrote:
>>> > >
>>> > > Is there a way to have the same functionality as the directive
>>> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
>>> > > I would like to block access to users who try to bypass Cloudflare
>>> reverse proxy (e.g. accessing my web server directly by guessing the IP
>>> address). It looks like iptables is not a solution since I still want to
>>> host some websites without Cloudflare.
>>> >
>>> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like
>>> this:
>>> >
>>> > RemoteIPHeader CF-Connecting-IP
>>> > RemoteIPTrustedProxyList /path/to/proxies.list
>>> > RewriteEngine on
>>> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>>
>>> Err, this should be:
>>> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
>>> because mod_remoteip will change REMOTE_ADDR (to the value of the
>>> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
>>> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>>>
>>> > RewriteRule ^ - [F]
>>> >
>>> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>>> >
>>> > Hth,
>>> > Yann.
>>> >
>>> > [1]
>>> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
I meant == instead of != like you corrected.
On Sat, 25 Apr 2020 at 13:08, baptx <ba...@gmail.com> wrote:
> Thanks Yann, it worked.
>
> I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in
> /etc/apache2/conf-available/remoteip.conf (from Cloudflare example:
> https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680
> ).
> Then I just had to add this in the virtualhosts that I want to protect:
> RewriteEngine on
> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> RewriteRule ^ - [F]
>
> I tested the bypass like that in case someone is interested (the 4
> commands should return a 403 Forbidden error):
> curl http://1.2.3.4 -H "Host: correct.tld"
> curl http://1.2.3.4 -H "Host: wrong.tld"
> curl -k https://1.2.3.4 -H "Host: correct.tld"
> curl -k https://1.2.3.4 -H "Host: wrong.tld"
> Where 1.2.3.4 should be replaced by your server IP address and correct.tld
> should be replaced by a correct domain name used by your server.
> The commands try to bypass the reverse proxy both for HTTP and HTTPS. They
> also try to guess if a domain name is used by the server, by sending a
> correct and wrong Host header.
> To prevent someone from finding which domain name is used by your IP
> address by looking at the 403 Forbidden error page, the virtualhost used by
> the IP address should not use the same 403 Forbidden error page as the
> domain name.
>
> Baptiste
>
>
> On Sat, 25 Apr 2020 at 00:24, Yann Ylavic <yl...@gmail.com> wrote:
>
>> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <yl...@gmail.com>
>> wrote:
>> >
>> > Hi,
>> >
>> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <ba...@gmail.com> wrote:
>> > >
>> > > Is there a way to have the same functionality as the directive
>> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
>> > > I would like to block access to users who try to bypass Cloudflare
>> reverse proxy (e.g. accessing my web server directly by guessing the IP
>> address). It looks like iptables is not a solution since I still want to
>> host some websites without Cloudflare.
>> >
>> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like
>> this:
>> >
>> > RemoteIPHeader CF-Connecting-IP
>> > RemoteIPTrustedProxyList /path/to/proxies.list
>> > RewriteEngine on
>> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>
>> Err, this should be:
>> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
>> because mod_remoteip will change REMOTE_ADDR (to the value of the
>> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
>> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>>
>> > RewriteRule ^ - [F]
>> >
>> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>> >
>> > Hth,
>> > Yann.
>> >
>> > [1]
>> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by baptx <ba...@gmail.com>.
Thanks Yann, it worked.
I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in
/etc/apache2/conf-available/remoteip.conf (from Cloudflare example:
https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680
).
Then I just had to add this in the virtualhosts that I want to protect:
RewriteEngine on
RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
RewriteRule ^ - [F]
I tested the bypass like that in case someone is interested (the 4 commands
should return a 403 Forbidden error):
curl http://1.2.3.4 -H "Host: correct.tld"
curl http://1.2.3.4 -H "Host: wrong.tld"
curl -k https://1.2.3.4 -H "Host: correct.tld"
curl -k https://1.2.3.4 -H "Host: wrong.tld"
Where 1.2.3.4 should be replaced by your server IP address and correct.tld
should be replaced by a correct domain name used by your server.
The commands try to bypass the reverse proxy both for HTTP and HTTPS. They
also try to guess if a domain name is used by the server, by sending a
correct and wrong Host header.
To prevent someone from finding which domain name is used by your IP
address by looking at the 403 Forbidden error page, the virtualhost used by
the IP address should not use the same 403 Forbidden error page as the
domain name.
Baptiste
On Sat, 25 Apr 2020 at 00:24, Yann Ylavic <yl...@gmail.com> wrote:
> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <yl...@gmail.com> wrote:
> >
> > Hi,
> >
> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <ba...@gmail.com> wrote:
> > >
> > > Is there a way to have the same functionality as the directive
> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > > I would like to block access to users who try to bypass Cloudflare
> reverse proxy (e.g. accessing my web server directly by guessing the IP
> address). It looks like iptables is not a solution since I still want to
> host some websites without Cloudflare.
> >
> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like
> this:
> >
> > RemoteIPHeader CF-Connecting-IP
> > RemoteIPTrustedProxyList /path/to/proxies.list
> > RewriteEngine on
> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>
> Err, this should be:
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> because mod_remoteip will change REMOTE_ADDR (to the value of the
> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>
> > RewriteRule ^ - [F]
> >
> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
> >
> > Hth,
> > Yann.
> >
> > [1]
> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by Yann Ylavic <yl...@gmail.com>.
On Sat, Apr 25, 2020 at 12:24 AM Yann Ylavic <yl...@gmail.com> wrote:
>
> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <yl...@gmail.com> wrote:
> >
> > Hi,
> >
> > On Fri, Apr 24, 2020 at 10:49 PM bapt x <ba...@gmail.com> wrote:
> > >
> > > Is there a way to have the same functionality as the directive DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > > I would like to block access to users who try to bypass Cloudflare reverse proxy (e.g. accessing my web server directly by guessing the IP address). It looks like iptables is not a solution since I still want to host some websites without Cloudflare.
> >
> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
> >
> > RemoteIPHeader CF-Connecting-IP
> > RemoteIPTrustedProxyList /path/to/proxies.list
> > RewriteEngine on
> > RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>
> Err, this should be:
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> because mod_remoteip will change REMOTE_ADDR (to the value of the
> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>
> > RewriteRule ^ - [F]
> >
> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
Actually, if this works, a simpler way to do it (with the core
authorization mechanism) is:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxyList /path/to/proxies.list
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> >
> > Hth,
> > Yann.
> >
> > [1] https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by Yann Ylavic <yl...@gmail.com>.
On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <yl...@gmail.com> wrote:
>
> Hi,
>
> On Fri, Apr 24, 2020 at 10:49 PM bapt x <ba...@gmail.com> wrote:
> >
> > Is there a way to have the same functionality as the directive DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > I would like to block access to users who try to bypass Cloudflare reverse proxy (e.g. accessing my web server directly by guessing the IP address). It looks like iptables is not a solution since I still want to host some websites without Cloudflare.
>
> I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
>
> RemoteIPHeader CF-Connecting-IP
> RemoteIPTrustedProxyList /path/to/proxies.list
> RewriteEngine on
> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
Err, this should be:
RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
because mod_remoteip will change REMOTE_ADDR (to the value of the
header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
> RewriteRule ^ - [F]
>
> With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>
> Hth,
> Yann.
>
> [1] https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip
Posted by Yann Ylavic <yl...@gmail.com>.
Hi,
On Fri, Apr 24, 2020 at 10:49 PM bapt x <ba...@gmail.com> wrote:
>
> Is there a way to have the same functionality as the directive DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> I would like to block access to users who try to bypass Cloudflare reverse proxy (e.g. accessing my web server directly by guessing the IP address). It looks like iptables is not a solution since I still want to host some websites without Cloudflare.
I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxyList /path/to/proxies.list
RewriteEngine on
RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
RewriteRule ^ - [F]
With "proxies.list" containing the same list as mod_cloudflare's ([1]).
Hth,
Yann.
[1] https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org