homepage Welcome to WebmasterWorld Guest from 54.225.57.156
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
blocking IP not working on cluster server
FromBelgium




msg:3737536
 5:39 pm on Sep 3, 2008 (gmt 0)

I try to block certain IP's in my .htaccess with "deny from IPaddress" but it is not working.

If I look in phpinfo() the variable _SERVER["HTTP_X_CLUSTER_CLIENT_IP"] is the IP address of the user, whereas _SERVER["REMOTE_ADDR"] is the local IP address of the server. I guess that . htaccess is only using SERVER["REMOTE_ADDR"]. Is there a way to block an IP address on cluster system?

 

jdMorgan




msg:3737594
 6:56 pm on Sep 3, 2008 (gmt 0)

You could try something like:

SetEnvIf HTTP_X_CLUSTER_CLIENT_IP 192.168.0.1 block
...
SetEnvIf HTTP_X_CLUSTER_CLIENT_IP 10.0.10.100 block
Deny from env=block

An alternative would be to configure the front-end server (reverse proxy configuration) to send the standard HTTP_X_FORWARDED_FOR header to the back-end machine, and then test that header in the back-end code.

Finally, if neither of these mod_access solutions work, you could use mod_rewrite, which allows testing of any arbitrary HTTP header using RewriteCond %{HTTP:Any_Header_Here}

The problem with the mod_rewrite solution is that it is a bit harder to maintain -- It just doesn't "read" as clearly, and you must remember to put an [OR] flag on every RewriteCond but the last one...

Also, since you're talking about a fairly sophisticated front-end/back-end system here, can you block IP addresses at a firewall -- either a hardware firewall or via front-end machine software?

A hardware firewall is the best choice, followed by a software firewall on the front-end, and finally a firewall or httpd/.htaccess code on the back-end. But the sooner you can reject the requests, the smaller your exploit exposure will be, and the cleaner your log files will be.

Jim

FromBelgium




msg:3737687
 8:12 pm on Sep 3, 2008 (gmt 0)

Jim, thanks for your suggestions. Unfortunatele below instructions did not block my own computer (using my actual IP address):

SetEnvIf HTTP_X_CLUSTER_CLIENT_IP 10.0.10.100 block
Deny from env=block

RewriteEngine On
RewriteCond %{HTTP_X_CLUSTER_CLIENT_IP} ^10\.0\.10\.100
RewriteRule .* - [F]

jdMorgan




msg:3737823
 11:29 pm on Sep 3, 2008 (gmt 0)

You have to watch the syntax of the RewriteCond; It "knows" about some variables (the ones listed in the docs, such as HTTP_USER_AGENT), while providing an "extension syntax" for headers that it doesn't internally recognize:

RewriteCond %{[b]HTTP:[/b]HTTP_X_Cluster_Client_IP} ^10\.0\.10\.100$

See the notes in the RewriteCond documentation for all the details -- You may have to experiment (or record the actual incoming HTTP request record) to get the variable name "just right", but it will need to be tagged with "HTTP:" as shown for mod_rewrite.

Jim

jsweeny




msg:3750621
 5:47 pm on Sep 23, 2008 (gmt 0)

in Perl, I can see the value of $ENV{'HTTP_X_CLUSTER_CLIENT_IP'}, but I seem to have trouble getting to the value in my .htaccess file.

I have tried both of the following with no success:
%{HTTP:HTTP_X_CLUSTER_CLIENT_IP}
%{ENV:HTTP_X_CLUSTER_CLIENT_IP}

any ideas?

jsweeny




msg:3750659
 6:51 pm on Sep 23, 2008 (gmt 0)

this does it for me:

%{HTTP:X-Cluster-Client-Ip}

FromBelgium




msg:3750681
 7:21 pm on Sep 23, 2008 (gmt 0)

Thanks jsweeny for your tip!
Now I can finally block an IP address:

SetEnvIf X-Cluster-Client-Ip 10.0.10.100 block
Deny from env=block

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved