How do I filter HTTPS traffic to my web server from behind a NodeBalancer?

I am getting suspicious traffic attempting to access my Linode, but my Linode is behind a NodeBalancer, and I am unable to tell anything about where the requests are coming from. How do I block traffic that looks suspicious to me?

I am using Apache 2.4.7 on Ubuntu.

1 Reply

First of all you will want to make sure that your NodeBalancer is configured to use HTTPS Protocol Mode to communicate with your backend web servers. If you use TCP Protocol Mode all traffic to your backend web servers will appear to be coming from the NodeBalancer itself.

If you are using HTTPS or HTTP Protocol Mode, your NodeBalancer will add an extra field to the web request as it passes the request to your back end web server. This field is the X-Forwarded-For.

You can create a configuration file for your Apache web server to deny access from a particular network address or range of IP addresses based on your X-Forwarded-For header. For example, lets create a file called /etc/apache2/conf-available/ip_blocklist.conf to block the address 192.0.2.13, and the entire range 203.0.113.0-203.0.113.255 from your entire site:

<LocationMatch "/.*">
Order Allow, Deny
Allow from all
SetEnvif X-Forwarded-For "192\.0\.2\.13" GoAway
SetEnvif X-Forwarded-For "203\.0\.113\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))" GoAway
Deny from env=GoAway
</LocationMatch>

Once you have created this file, you can then enable it by running the following commands:

sudo ln -s /etc/apache2/conf-available/ip_blocklist.conf /etc/apache2/conf-enabled/ip_blocklist.conf
sudo systemctl restart apache2

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct