How do I filter HTTPS traffic to my web server from behind a NodeBalancer?
Linode
Linode Staff
I am getting suspicious traffic attempting to access my Linode, but my Linode is behind a NodeBalancer, and I am unable to tell anything about where the requests are coming from. How do I block traffic that looks suspicious to me?
I am using Apache 2.4.7 on Ubuntu.
1 Reply
hphillips
Linode Staff
First of all you will want to make sure that your NodeBalancer is configured to use HTTPS Protocol Mode to communicate with your backend web servers. If you use TCP Protocol Mode all traffic to your backend web servers will appear to be coming from the NodeBalancer itself.
If you are using HTTPS or HTTP Protocol Mode, your NodeBalancer will add an extra field to the web request as it passes the request to your back end web server. This field is the X-Forwarded-For.
You can create a configuration file for your Apache web server to deny access from a particular network address or range of IP addresses based on your X-Forwarded-For header. For example, lets create a file called /etc/apache2/conf-available/ip_blocklist.conf to block the address 192.0.2.13, and the entire range 203.0.113.0-203.0.113.255 from your entire site:
<LocationMatch "/.*">
Order Allow, Deny
Allow from all
SetEnvif X-Forwarded-For "192\.0\.2\.13" GoAway
SetEnvif X-Forwarded-For "203\.0\.113\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))" GoAway
Deny from env=GoAway
</LocationMatch>
Once you have created this file, you can then enable it by running the following commands:
sudo ln -s /etc/apache2/conf-available/ip_blocklist.conf /etc/apache2/conf-enabled/ip_blocklist.conf
sudo systemctl restart apache2