apache behind proxy ip alternative

Ich sag es mal so, gewußt wie, ist so etwas in 5 min durch.

Folgende Aufgabe war zu lösen.
Ein Apache der als Proxy konfiguriert ist, gibt die Anfragen weiter an einen weiter hinten stehenden Apache Webserver.
Dort kommt nur die IP Adresse des Apache Proxy an. Was auch völlig OK ist. Um jetzt die Seiten vor Zugriffen einzuschränken etc. Wird es nun schwer.

Es gibt hier verschiedene Varianten. Eine Variante die immer und überall zu finden ist Apache X-Forwarded-For Header oder mod_rpaf. Bei Red Hat gibt es sogar einen Eintrag dazu https://access.redhat.com/solutions/470883 das es hier keinen Support gibt.

Also was tun? Ich finde beide Lösungen schon brauchbar. Ich habe durch zufall in einem anderen Blog einen Eintrag bei den Kommentaren gelesen. Es gibt eine Alternative Namens “mod_extract_forwarded”

http://www.ctkn.net/2011/10/install-mod_rpaf-on-centos-5-centos-6/

http://rpm.pbone.net/index.php3/stat/4/idpl/16934135/dir/redhat_el_6/com/mod_extract_forwarded-2.0.2-8.el6.x86_64.rpm.html

Nach kurzem Test, erfüllt genau was es soll.

Wenn das Packet installiert ist. Wird eine Conf Datei mit dem Namen mod_extract_forwarded.conf angelegt. Diese Conf Datei sollte noch kurz angeschaut werden und wenn notwendig angepasst werden.

In seiner Vhost conf kann nun folgendes eingebaut werden.
Um den Zugriff von außen zu blocken.

location
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 48.218.133.111
Allow from 10.
Allow from 45.125.47.22
location

LoadModule extract_forwarded_module modules/mod_extract_forwarded.so

# MEForder can have either of two value ‘refuse,accept’ or ‘accept,refuse’ and
# specifies the order in which the information in two associated directives,
# MEFaccept and MEFrefuse, are intepreted. The MEFaccept and MEFrefuse
# directives are each used to spcifiy one or more IP numbers.

MEForder refuse,accept

# MEFrefuse can be ‘all’ OR a list of IP numbers and/or domain names of trusted
# proxy servers whose IP number can be derived by DNS from the domain name.
# The presence of ‘all’ overrides any particular IP numbers and means that no
# proxy servers are to be trusted. Individual IP numbers mean that those proxy
# servers having them are not to be trusted. This defaults to ‘all’.

#MEFrefuse all

# MEFaccept can be ‘all’ OR a list of IP numbers and/or domain names of trusted
# proxy servers whose IP number can be derived by DNS from the domain name.
# The presence of ‘all’ overrides any particular IP numbers and means that all
# proxy servers are to be trusted.
# Individual IP numbers mean that those the proxy servers having them are to be
# trusted. This defaults to an empty list of trusted IP numbers.

# MEFaccept 1.2.3.4 1.2.3.5

MEFaccept all

# Normal mode of use is to say:
#
# MEForder refuse,accept
# MEFrefuse all
# MEFaccept space separated list of your trusted proxy servers’ IP numbers
#
# with the MEForder directive saying apply the MEFrefuse rule first then the
# MEFaccept rule.
# The MEFrefuse rule says do not trust any proxy servers but this is selectively
# overridden for particular IP numbers listed by the MEFaccept directive.

# MEFaddenv can be ‘off’, ‘on’ (the default) or a string. ‘off’ means that when
# spoofing, do not add an environment variable whose value is the IP number of
# the connecting machine. ‘on’ means that when spoofing, add an environment
# variable called ‘MEF_RPROXY_ADDR’ whose value is the IP number of the
# connecting machine.
# A string means that when spoofing, add an environment variable named by the
# string supplied whose value is the IP number of the connecting machine.

MEFaddenv on

# MEFdebug can be ‘on’ or ‘off’ (the default). When turned ‘on’ information
# about how the mod_extract_forwarded module is processing every request to your
# Apache 2 server, and any associated internal redirects or subsrequests, is
# written to the server’s error_log.
# The amount of output written and the way it is generated is such that you
# would never normally want to turn this feature on.
# This feature is intended for debugging operation of the mod_extract_forwarded
# module and it is unlikely you will want to do that.

MEFdebug off

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s