Hi,
I'm running a mod_perl/Mason app at a fairly large company. We have two pools of machines, each pool with it's own pair of load balancers. One pool uses F5 BigIP, and the other uses Netscaler. The problem that I'm having is that the Apache variable REMOTE_ADDR seems to correctly represent the client IP address when the request is dispatched from the F5. But with the Netscalers, REMOTE_ADDR always reflects the IP address of the load balancer itself. Netscaler does provide the ability for us to define custom headers to maintain true client state info (i.e. the real client IP address), and that works fine for deriving the proper client IP insidle the mod_perl app, as well as application logging.
The problem I'm having is that we have secret URIs (or Locations) in the application, that we restrict by internal IP addresses, as well as authentication. All of these secret Locations are protected using mod_access deny/allow functionality. But because of the way the Netscalers instatiate the incoming HTTP request with our individual nodes in the pool, we are always seeing the balancer's IP. So, I've had to loosen my allow restrictions from what used to be a class C subnets, to basically 10.* just to allow ourselves to access the secret Locations through the Netscaler pool. That means if any outside user happens to guess the secret Location(s), they can get to the authentication part of the protection with 50% probability.
Our operations staff says we are sticking with F5's on the one pool, and Netscaler on the other, so I have to deal with the difference. Also, we cannot add the equivalent pass-thru header in the F5's, like the NetScalers have. How can I restrict a secret Location by IP or domain, if the Netscalers are incapable of preserving the real client IP when dispatching to the individual nodes in the pool, and we cannot have the F5's replicate the pass-thru header information the same as the Netscalers?
SetEnvIf is really not an option for us either, because we have business/marketing folks in offices around the world that access these secret locations. It's just not realistic to have them all set some custom header or something, way too difficult from an IT perspective.
The only option I can think of is to abandon the access security at the apache level, and move it into the application. Does anyone have any other ideas?
Ex. from our config:
<LocationMatch "^/+(marketing/report.*)$">
order deny,allow
deny from all
allow from 10 172.16 192.168
</LocationMatch>
Our App:
- RedHat 7.2
- Apache 1.3.28
- mod_perl 1.29
Thanks in advance for any help you can offer.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|