You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeff Nokes <je...@yahoo.com> on 2006/04/24 22:19:28 UTC
[users@httpd] mod_access and Client IP's from Load Balancers
Hi,
I'm running a mod_perl/Mason app at a fairly large company. We have two pools of machines, each pool with it's own pair of load balancers. One pool uses F5 BigIP, and the other uses Netscaler. The problem that I'm having is that the Apache variable REMOTE_ADDR seems to correctly represent the client IP address when the request is dispatched from the F5. But with the Netscalers, REMOTE_ADDR always reflects the IP address of the load balancer itself. Netscaler does provide the ability for us to define custom headers to maintain true client state info (i.e. the real client IP address), and that works fine for deriving the proper client IP insidle the mod_perl app, as well as application logging.
The problem I'm having is that we have secret URIs (or Locations) in the application, that we restrict by internal IP addresses, as well as authentication. All of these secret Locations are protected using mod_access deny/allow functionality. But because of the way the Netscalers instatiate the incoming HTTP request with our individual nodes in the pool, we are always seeing the balancer's IP. So, I've had to loosen my allow restrictions from what used to be a class C subnets, to basically 10.* just to allow ourselves to access the secret Locations through the Netscaler pool. That means if any outside user happens to guess the secret Location(s), they can get to the authentication part of the protection with 50% probability.
Our operations staff says we are sticking with F5's on the one pool, and Netscaler on the other, so I have to deal with the difference. Also, we cannot add the equivalent pass-thru header in the F5's, like the NetScalers have. How can I restrict a secret Location by IP or domain, if the Netscalers are incapable of preserving the real client IP when dispatching to the individual nodes in the pool, and we cannot have the F5's replicate the pass-thru header information the same as the Netscalers?
SetEnvIf is really not an option for us either, because we have business/marketing folks in offices around the world that access these secret locations. It's just not realistic to have them all set some custom header or something, way too difficult from an IT perspective.
The only option I can think of is to abandon the access security at the apache level, and move it into the application. Does anyone have any other ideas?
Ex. from our config:
<LocationMatch "^/+(marketing/report.*)$">
order deny,allow
deny from all
allow from 10 172.16 192.168
</LocationMatch>
Our App:
- RedHat 7.2
- Apache 1.3.28
- mod_perl 1.29
Thanks in advance for any help you can offer.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access and Client IP's from Load Balancers
Posted by Joshua Slive <jo...@slive.ca>.
On 4/24/06, Jeff Nokes <je...@yahoo.com> wrote:
> Thanks for the reply!
>
> Yes, that is correct.
> But since I cannot use arbitrary headers, these options aren't viable for me. Basically, I need to restrict the same Location, via a single restriction (preferably via IP subnets), using an explicit defined Header from 50% of web traffic [Netscaler], and the REMOTE_ADDR (or whatever mod_access uses to get the client IP) [BigIP] from the other 50%, at the same time; SetEnvIf will only help me with the Netscaler traffic. I need a single solution to handle both scenarios.
As I said, you can ADD the new "Allow from" to your existing block to
get both restrictions. You just need to make sure that those coming
thorugh the BigIP can't fake the header that passes the IP address
from the Netscaler. Otherwise, you can verify both the source IP and
the header, but it will require mod_rewrite.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access and Client IP's from Load Balancers
Posted by Joost de Heer <sa...@xs4all.nl>.
Jeff Nokes wrote:
> Thanks for the reply!
>
> Yes, that is correct.
> But since I cannot use arbitrary headers, these options aren't viable for
> me.
Load Balancers should be able to set the X-Forwarded-For header (I know F5
can do it, no idea about NetScaler, but I'm fairly sure it should be
possible). Note that this only works for http requests, if you want to
insert the header for https you need to do SSL offloading on the
loadbalancer.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access and Client IP's from Load Balancers
Posted by Jeff Nokes <je...@yahoo.com>.
Thanks for the reply!
Yes, that is correct.
But since I cannot use arbitrary headers, these options aren't viable for me. Basically, I need to restrict the same Location, via a single restriction (preferably via IP subnets), using an explicit defined Header from 50% of web traffic [Netscaler], and the REMOTE_ADDR (or whatever mod_access uses to get the client IP) [BigIP] from the other 50%, at the same time; SetEnvIf will only help me with the Netscaler traffic. I need a single solution to handle both scenarios.
Thanks,
- Jeff
----- Original Message ----
From: Joshua Slive <jo...@slive.ca>
To: users@httpd.apache.org; Jeff Nokes <je...@yahoo.com>
Sent: Monday, April 24, 2006 2:09:37 PM
Subject: Re: [users@httpd] mod_access and Client IP's from Load Balancers
On 4/24/06, Jeff Nokes <je...@yahoo.com> wrote:
>
>
> <LocationMatch "^/+(marketing/report.*)$">
> order deny,allow
> deny from all
> allow from 10 172.16 192.168
> </LocationMatch>
mod_rewrite or mod_setenvif can do access control based on arbitrary
headers. So assuming you have an X-Remote-IP header, you could do
SetEnvIf X-Remote-IP ^10\..* good-guy
SetEnvIf X-Remote-IP ^172\.16\..* good-guy
SetEnvIf X-Remote-IP ^192\.168\..* good-guy
and then add
Allow from env=good-guy
to the above block.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access and Client IP's from Load Balancers
Posted by Joshua Slive <jo...@slive.ca>.
On 4/24/06, Jeff Nokes <je...@yahoo.com> wrote:
>
>
> <LocationMatch "^/+(marketing/report.*)$">
> order deny,allow
> deny from all
> allow from 10 172.16 192.168
> </LocationMatch>
mod_rewrite or mod_setenvif can do access control based on arbitrary
headers. So assuming you have an X-Remote-IP header, you could do
SetEnvIf X-Remote-IP ^10\..* good-guy
SetEnvIf X-Remote-IP ^172\.16\..* good-guy
SetEnvIf X-Remote-IP ^192\.168\..* good-guy
and then add
Allow from env=good-guy
to the above block.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org