Re: Only allow reverse proxy traffic with mod_remoteip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I meant == instead of != like you corrected.


On Sat, 25 Apr 2020 at 13:08, baptx <baptx.is@xxxxxxxxx> wrote:
Thanks Yann, it worked.

I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in /etc/apache2/conf-available/remoteip.conf (from Cloudflare example: https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680).
Then I just had to add this in the virtualhosts that I want to protect:
RewriteEngine on
RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
RewriteRule ^ - [F]

I tested the bypass like that in case someone is interested (the 4 commands should return a 403 Forbidden error):
curl http://1.2.3.4 -H "Host: correct.tld"
curl http://1.2.3.4 -H "Host: wrong.tld"
curl -k https://1.2.3.4 -H "Host: correct.tld"
curl -k https://1.2.3.4 -H "Host: wrong.tld"
Where 1.2.3.4 should be replaced by your server IP address and correct.tld should be replaced by a correct domain name used by your server.
The commands try to bypass the reverse proxy both for HTTP and HTTPS. They also try to guess if a domain name is used by the server, by sending a correct and wrong Host header.
To prevent someone from finding which domain name is used by your IP address by looking at the 403 Forbidden error page, the virtualhost used by the IP address should not use the same 403 Forbidden error page as the domain name.

Baptiste


On Sat, 25 Apr 2020 at 00:24, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
>
> Hi,
>
> On Fri, Apr 24, 2020 at 10:49 PM bapt x <baptx.is@xxxxxxxxx> wrote:
> >
> > Is there a way to have the same functionality as the directive DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > I would like to block access to users who try to bypass Cloudflare reverse proxy (e.g. accessing my web server directly by guessing the IP address). It looks like iptables is not a solution since I still want to host some websites without Cloudflare.
>
> I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
>
>   RemoteIPHeader CF-Connecting-IP
>   RemoteIPTrustedProxyList /path/to/proxies.list
>   RewriteEngine on
>   RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"

Err, this should be:
    RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
because mod_remoteip will change REMOTE_ADDR (to the value of the
header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..

>   RewriteRule ^ - [F]
>
> With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>
> Hth,
> Yann.
>
> [1] https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux