1

I have multiple application servers running as EC2 instances. Only certain bare-metal servers running elsewhere are allowed to contact them and their IPs whitelisted explicitly in the httpd.conf @the application servers.

I want to move the application servers behind ELB for load balancing purposes, now I've read about the X-Forwarded-For header which will be forwarded to the application server from ELB and based on that one can allow certain IPs. My question is how do I set this up?

Currently my apache config on application server looks like this:

<VirtualHost *:80>
    ServerAdmin  abc@foo.com
    ServerName   bar.foo.in
    DocumentRoot /home/foo/bar
    <Directory /home/foo/bar>
            Options Indexes Multiviews FollowSymLinks
            AllowOverride All
            Order Deny,Allow
            Deny from all
            Allow from X.X.X.X Y.Y.Y.Y Z.Z.Z.Z A.A.A.A
    </Directory>

I'm thinking about using SetEnvIf directive to allow IPs based on X-Forwarded-For value but I'm not sure about this. I have the following changes in mind. Can someone verify this before I put this into production?

<VirtualHost *:80>
 ................... 
 ....................
<Directory /home/foo/bar>
        SetEnvIF X-Forwarded-For "X.X.X.X|Y.Y.Y.Y|A.A.A.A" AllowIP 
        Options Indexes Multiviews FollowSymLinks
        AllowOverride All
        Order Deny,Allow
        Deny from all
        Allow from env=AllowIP
</Directory>

Thanks

silvester anfang
  • 11
  • 1

1 Answers1

0

The best way to do this would be to skip all the Apache configuration work and use AWS VPC to do the limiting. You can use the ELBs security group to limit the incoming requests to just those IPs. After that set the EC2 instances security group to only accept HTTP connections from the ELB.

This gives you what your looking for without as much hassle with the Apache configuration and it's easier and faster to manage if you ever need to change things.

Nathan V
  • 711
  • 5
  • 16