Closed gacha closed 4 years ago
gacha
commented
4 years ago I'm starting to think, that there should be introduced a variable DOSRemoteIPHeader and this functionality used only if that is set to some value DOSRemoteIPHeader X-Forwarded-For.
Because if there is no proxy behind, then the header could be set to some random IP each time and the real IP won't be blocked at all.
@jvdmr how do you think about this?
jvdmr
commented
4 years ago Sounds great, I agree that it would be better to make this optional, and only activated on servers that are actually behind a proxy because on public-facing servers the risk for abuse/circumvention of the entire thing seems high.
The trusted proxy ip would definitely also be a good addition to this feature, although it could also be a separate feature (or PR) altogether. I'm still doubting whether that option would mean all requests from any other ip should be blocked completely (effectively blacklisting all other ip's) or not. If not, I'm trying to figure out if there is any difference with the whitelisting feature, but I'm leaning towards the blacklist-everything-else option.
Of course the trusted proxy ip should also allow several values, for setups with more than 1 oproxy/loadbalancer/...
gacha
commented
4 years ago Ok, then I will implement the DOSRemoteIPHeader option.
Those two settings I mentioned are from Apache module mod_remoteip which is enabled by default and what I ment was that when DOSRemoteIPHeader option is enabled then probably RemoteIPTrustedProxy needs to be used as well to make sure the remote IP header is legit. As described here https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteiptrustedproxy
gacha
commented
4 years ago @jvdmr I did more investigation and it turns out, if you use properly the mod_remoteip then the r->useragent_ip is set from the header X-Forwarded-For. So there is no need to do it twice.
jvdmr
commented
4 years ago That's great! I'm wondering if I should add that information to the Readme, but technically it has little to do with this module then... In any case, thanks for investigating!
CrossfireCurt
commented
4 years ago @gacha So glad I stumbled across this! Is it possible for you to share what your mod_remoteip configuration is? I have a similar situation where we're trying to use mod_evasive behind a proxy and cannot get it to recognize the client's IP - it ends up using the proxy IP instead.
edit: I think you can ignore me. I read through the documentation for mod_remoteip and have gotten some success. Thanks for your previous comments :)
gacha
commented
4 years ago One note on security. If you are using:
RemoteIPHeader X-Forwarded-For
then you have to use also to trust only your load-balancer:
RemoteIPTrustedProxy 38.131.0.0/16
Otherwise, some hacker can easily change his IP on each request and mod_evasive won't help.
curl -XPOST -H "X-Forwarded-For: 80.11.15.10" -d "user=admin&password=secret" https://example.com/sign_in
semmel
commented
2 years ago Nice PR!
Using the idea, I was able to patch libapache-mod-evasive_1.10.1-4.debian (not this project here, though) to run our Ubuntu-20 Apache behind a proxy.
Thanks!
When the apache is behind a proxy like a load-balancer then the value of
r->useragent_ipcontains the IP of that proxy server not the client. So, if there is a value in headerX-Forwarded-Foruse that instead - which is provided by the proxy.You usually use this with a config in your virtualhost: