httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos André <candr...@gmail.com>
Subject Re: [users@httpd] Reverse proxy like DNAT, any chance? :)
Date Wed, 28 Oct 2009 13:48:27 GMT
Hi Emmanuel,

I'm using Snort.
It dont (yet) permit use of "X-Forwarded-For" :(
Anyway since I cant block IP of SSL-out box, then this feature come
out I cant put a inline IDS with active response function on same box.
Maybe IDS sensor after SSL-out box, then, on a event... send a command
to SSL-out box to DROP attacker IP...  Or just put IDS and SSL-out on
same box... (I prefer segregate, anyway sending a DROP command to
another box will slow down response a little...) If any event detected
from a X-Forwarded IP then just put on iptables (-I INPUT -s
<X-Forwarded-For> -j DROP) or something like that...


On Wed, Oct 28, 2009 at 9:29 AM, Emmanuel Bailleul
<Emmanuel.Bailleul@telindus.fr> wrote:
>> -----Message d'origine-----
>> De : Carlos André [mailto:candrecn@gmail.com]
>> Envoyé : mercredi 28 octobre 2009 13:06
>> À : users@httpd.apache.org
>> Objet : [users@httpd] Reverse proxy like DNAT, any chance? :)
>>
>> Hi ppl,
>>
>> Maybe it's look like a stupid question, but, is there any way to make
>> apache acting as a "reverse proxy" send the original IP source to
>> destination? Like iptables DNAT ?
>>
>> Coz I need protect users/server (HTTPS) and webserver (IDS), but my
>> SSL-out box (apache RP) send its own IP to apache webserver, not
>> original source... then I cant just block SSL-out box IP (but I need a
>> active response from Snort... even passive, a lot of alerts from
>> SSL-out IP doesnt help so much).
>>
>> There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER
>>
>> Thanks :)
>>
>
> Hi,
>
> Would there be any chance your IDS extract the source address info from the "X-forwarded-for"
header instead of the source IP ?
>
> Regards.
>
> Emmanuel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message