I’m using the Apache mod_rpaf module to capture client IP addresses in the X-Forwarded-For header passed by an Nginx reverse proxy. This is good for logging and CGI environments but mod_rpaf does not fix up the client IP address sufficiently to be used in Apache’s allow/deny access control directives.
Quoting the juicy bit from Almlys’s blog posting:
SetEnvIf X-Forwarded-For ^172\.26\.0\.17 let_me_in Order allow,deny allow from env=let_me_in
Clever.
3 comments
Comments feed for this article
October 23, 2008 at 4:02 am
Peter
I’m very familiar with mod_rpaf. I’m curious, if you doing some L3 based access control, why don’t you do it as an ACL on your router before it hits your proxy? Or don’t you control that router?
October 23, 2008 at 4:43 am
crashingdaily
I don’t control the routers. Anyway, I don’t think an ACL on the router will help in my environment – but I’m no expert in router ACLs, seeing as that I don’t get to play with them. Our websites (there are dozens of copies scattered across different networks and only a select few are proxied) are all accessible by any IP, they just require proper authentication. I’m using mod_auth_tkt for authentication and using Apache’s allow/deny access control to permit selected machines to have non-authenticated access. The proxy server is not one of the selected machines but I have cases where the backend Tomcat server will call a cgi script on the Apache server and that request routes through the Nginx proxy. In that situation, where the X-Forwarded-For is the backend server, I want the proxy server to have non-authenticated access. It may be possible – I need to review my actual configuration – for a third-party to forge a X-Forwarded-For and bypass the authentication but that’s not so bad for us, the AuthN is mostly just to keep casual interlopers out.
October 25, 2008 at 4:08 am
Peter
ah, okay… true words that the IP based “authentication” is just to keep out the casual riffraff. mod_rpaf is a pretty sweet solution to keeping your access logs useful behind proxy lbs.
have a good weekend!