blocking IP not working on cluster server

Forum Moderators: phranque

Message Too Old, No Replies

blocking IP not working on cluster server

FromBelgium

5:39 pm on Sep 3, 2008 (gmt 0)

I try to block certain IP's in my .htaccess with "deny from IPaddress" but it is not working.

If I look in phpinfo() the variable _SERVER["HTTP_X_CLUSTER_CLIENT_IP"] is the IP address of the user, whereas _SERVER["REMOTE_ADDR"] is the local IP address of the server. I guess that . htaccess is only using SERVER["REMOTE_ADDR"]. Is there a way to block an IP address on cluster system?

jdMorgan

6:56 pm on Sep 3, 2008 (gmt 0)

You could try something like:


SetEnvIf HTTP_X_CLUSTER_CLIENT_IP 192.168.0.1 block
...
SetEnvIf HTTP_X_CLUSTER_CLIENT_IP 10.0.10.100 block
Deny from env=block

An alternative would be to configure the front-end server (reverse proxy configuration) to send the standard HTTP_X_FORWARDED_FOR header to the back-end machine, and then test that header in the back-end code.

Finally, if neither of these mod_access solutions work, you could use mod_rewrite, which allows testing of any arbitrary HTTP header using RewriteCond %{HTTP:Any_Header_Here}

The problem with the mod_rewrite solution is that it is a bit harder to maintain -- It just doesn't "read" as clearly, and you must remember to put an [OR] flag on every RewriteCond but the last one...

Also, since you're talking about a fairly sophisticated front-end/back-end system here, can you block IP addresses at a firewall -- either a hardware firewall or via front-end machine software?

A hardware firewall is the best choice, followed by a software firewall on the front-end, and finally a firewall or httpd/.htaccess code on the back-end. But the sooner you can reject the requests, the smaller your exploit exposure will be, and the cleaner your log files will be.

Jim

FromBelgium

8:12 pm on Sep 3, 2008 (gmt 0)

Jim, thanks for your suggestions. Unfortunatele below instructions did not block my own computer (using my actual IP address):

SetEnvIf HTTP_X_CLUSTER_CLIENT_IP 10.0.10.100 block
Deny from env=block

RewriteEngine On
RewriteCond %{HTTP_X_CLUSTER_CLIENT_IP} ^10\.0\.10\.100
RewriteRule .* - [F]

jdMorgan

11:29 pm on Sep 3, 2008 (gmt 0)

You have to watch the syntax of the RewriteCond; It "knows" about some variables (the ones listed in the docs, such as HTTP_USER_AGENT), while providing an "extension syntax" for headers that it doesn't internally recognize:


RewriteCond %{[b]HTTP:[/b]HTTP_X_Cluster_Client_IP} ^10\.0\.10\.100$

See the notes in the RewriteCond documentation for all the details -- You may have to experiment (or record the actual incoming HTTP request record) to get the variable name "just right", but it will need to be tagged with "HTTP:" as shown for mod_rewrite.

Jim

jsweeny

5:47 pm on Sep 23, 2008 (gmt 0)

in Perl, I can see the value of $ENV{'HTTP_X_CLUSTER_CLIENT_IP'}, but I seem to have trouble getting to the value in my .htaccess file.

I have tried both of the following with no success:
%{HTTP:HTTP_X_CLUSTER_CLIENT_IP}
%{ENV:HTTP_X_CLUSTER_CLIENT_IP}

any ideas?

jsweeny

6:51 pm on Sep 23, 2008 (gmt 0)

this does it for me:

%{HTTP:X-Cluster-Client-Ip}

FromBelgium

7:21 pm on Sep 23, 2008 (gmt 0)

Thanks jsweeny for your tip!
Now I can finally block an IP address:

SetEnvIf X-Cluster-Client-Ip 10.0.10.100 block
Deny from env=block