Detect apache reverse proxy programmatically

Question

I want to proxy a website – let's call it “APP” - through Apache 2.4 using two different reverse proxies with different host names (virtual hosts). Let's call those proxies “Alfa” and “Beta”. I want Alfa to be the “public proxy” which will show the normal version of the website. The Beta proxy will limit public access to certain client IPs, but here I want to show – on top of each page of the website – some type of sensitive information. Let's call those portions of sensitive information “SENS”.

Here's my current apache config.

Listen 443
NameVirtualHost *:443
SSLStrictSNIVHostCheck off

## Virtual host for the Alfa Proxy
<VirtualHost *:443>

    ServerName alfa.mysite.org
    RewriteEngine On

    <Location /app/>    
        ProxyPass http://x.x.x.x:8080/app/
        ProxyPassReverse http://x.x.x.x:8080/app/
    </Location>

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile conf/alfa.crt
    SSLCertificateKeyFile conf/alfa.key
</VirtualHost>

## Virtual host for the Beta Proxy
<VirtualHost *:443>

    ServerName beta.mysite.org
    RewriteEngine On

    <Location /app/>
        Require ip 192.168.0
        ProxyPass http://x.x.x.x:8080/app/
        ProxyPassReverse http://x.x.x.x:8080/app/
    </Location>

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile conf/beta.crt
    SSLCertificateKeyFile conf/beta.key
</VirtualHost>

In order to show SENS only to the users of Beta, I need to programmatically detect which proxy requests come from. Now, I've looked into the use of Reverse Proxy Request Headers such as “X-Forwarded-Server”. Let's say I define some kind of security filter in APP (eg Spring Filter) that allows SENS to be rendered on page only if X-Forwarded-Server equals “beta.mysite.org”. This should work just fine.

But my question is this: Can I be sure not some kind of tampering with the proxy headers occur that would allow users of the alfa.mysite.org actually view the SENS-portions of my website?

If so, are there any other ways of doing this a “secure manner”. Having two different versions of APP or deploying APP on two different containers is something I want to avoid here.

Any comments or suggestions are appreciated.

Answer 1

According to the Apache documentation, the x-forwarded-server header can be a comma separated list when multiple proxies are used. So I wouldn't consider it safe from a security point of view.

Under the assumption that your backend server is not directly access, you could try the following. Set your own HTTP Header which value changes depending on which VirtualHost it passes. You only have to check then for the existence of the header in the backend.

ServerName alfa.mysite.org
RewriteEngine On

<Location /app/>    
 #Set - The request header is set, replacing any previous header with this name
 RequestHeader set MyCustomHeader "remote"

</Location>

ServerName beta.mysite.org
RewriteEngine On

<Location /app/>
    Require ip 192.168.0
    #The request header is set, replacing any previous header with this name
    RequestHeader set MyCustomHeader "local"
    ..
</Location>