You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Carlos André <ca...@gmail.com> on 2009/10/28 13:05:37 UTC
[users@httpd] Reverse proxy like DNAT, any chance? :)
Hi ppl,
Maybe it's look like a stupid question, but, is there any way to make
apache acting as a "reverse proxy" send the original IP source to
destination? Like iptables DNAT ?
Coz I need protect users/server (HTTPS) and webserver (IDS), but my
SSL-out box (apache RP) send its own IP to apache webserver, not
original source... then I cant just block SSL-out box IP (but I need a
active response from Snort... even passive, a lot of alerts from
SSL-out IP doesnt help so much).
There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER
Thanks :)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy like DNAT, any chance? :)
Posted by Carlos André <ca...@gmail.com>.
Hi Emmanuel,
I'm using Snort.
It dont (yet) permit use of "X-Forwarded-For" :(
Anyway since I cant block IP of SSL-out box, then this feature come
out I cant put a inline IDS with active response function on same box.
Maybe IDS sensor after SSL-out box, then, on a event... send a command
to SSL-out box to DROP attacker IP... Or just put IDS and SSL-out on
same box... (I prefer segregate, anyway sending a DROP command to
another box will slow down response a little...) If any event detected
from a X-Forwarded IP then just put on iptables (-I INPUT -s
<X-Forwarded-For> -j DROP) or something like that...
On Wed, Oct 28, 2009 at 9:29 AM, Emmanuel Bailleul
<Em...@telindus.fr> wrote:
>> -----Message d'origine-----
>> De : Carlos André [mailto:candrecn@gmail.com]
>> Envoyé : mercredi 28 octobre 2009 13:06
>> À : users@httpd.apache.org
>> Objet : [users@httpd] Reverse proxy like DNAT, any chance? :)
>>
>> Hi ppl,
>>
>> Maybe it's look like a stupid question, but, is there any way to make
>> apache acting as a "reverse proxy" send the original IP source to
>> destination? Like iptables DNAT ?
>>
>> Coz I need protect users/server (HTTPS) and webserver (IDS), but my
>> SSL-out box (apache RP) send its own IP to apache webserver, not
>> original source... then I cant just block SSL-out box IP (but I need a
>> active response from Snort... even passive, a lot of alerts from
>> SSL-out IP doesnt help so much).
>>
>> There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER
>>
>> Thanks :)
>>
>
> Hi,
>
> Would there be any chance your IDS extract the source address info from the "X-forwarded-for" header instead of the source IP ?
>
> Regards.
>
> Emmanuel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Reverse proxy like DNAT, any chance? :)
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
> -----Message d'origine-----
> De : Carlos André [mailto:candrecn@gmail.com]
> Envoyé : mercredi 28 octobre 2009 13:06
> À : users@httpd.apache.org
> Objet : [users@httpd] Reverse proxy like DNAT, any chance? :)
>
> Hi ppl,
>
> Maybe it's look like a stupid question, but, is there any way to make
> apache acting as a "reverse proxy" send the original IP source to
> destination? Like iptables DNAT ?
>
> Coz I need protect users/server (HTTPS) and webserver (IDS), but my
> SSL-out box (apache RP) send its own IP to apache webserver, not
> original source... then I cant just block SSL-out box IP (but I need a
> active response from Snort... even passive, a lot of alerts from
> SSL-out IP doesnt help so much).
>
> There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER
>
> Thanks :)
>
Hi,
Would there be any chance your IDS extract the source address info from the "X-forwarded-for" header instead of the source IP ?
Regards.
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org