stackoom
  简体   繁体   中英

How can I block all external IPs to endpoints behind AWS ELB?

 原文  2015-09-03 21:39:22       apache/ amazon-web-services/ load-balancing/ httpd.conf/ blacklist

Question

OK - so I have a developer that does not want our REST endpoints to be accessible externally with the only access allowed is localhost and the internal network scheme. Our internal network scheme is 10.10.xx

The way we did this is with the < LocationMatch > switch in the .conf file as follows: 

<LocationMatch "/foo/bar/*">
  Order deny,allow
  Deny from all
  Allow from 10.10
  Allow from 127
</LocationMatch>

Now, the challenge we are having is that the AWS Load Balancer has an X-Forward-Host rule on it so all original source IPs and if I do Allow from 10 - obviously, will allow access to all endpoints externally because of this.

As stated before, our internal IP is 10.10 so I can do allow from 10.10 and that would resolve it but if I make more regions then the network scheme could be 10.20.x. 10.30.xx 10.40.xx and then it becomes a bit of an administrative nightmare.

So, what makes sense is someone mentioned to do something on the http.conf level: 

<Directory />
    #Example..
    SetEnvIF X-Forwarded-For "(,| |^)192\.168\.1\.1(,| |$)" DenyIP
    SetEnvIF X-Forwarded-For "(,| |^)10\.1\.1\.1(,| |$)" DenyIP
    Order allow,deny
    Deny from env=DenyIP
    Allow from all
</Directory>

found from this blog

So, I am unsure how to follow this format and ensure that it denies all external IPs to these directories.

Would the http.conf file have something like: 

<VirtualHost>
    #Example..
    SetEnvIF X-Forwarded-For "(,| |^)*\.*\.*\.*(,| |$)" DenyIP
</VirtualHost>

and my other conf file with the < LocationMatch > rules have: 

<LocationMatch "/foo/bar/*">
  Order deny,allow
  Deny from env=DenyIP
  Allow from 10.
  Allow from 127
</LocationMatch>

Thanks for your help!

1 answers

solution1
 1 ACCPTED  2015-09-03 23:22:36

Rather than modifying apache, use Security Groups!

  1. Create a security group for your Elastic Load Balancer. Allow in-bound access from 0.0.0.0/0 for ports 80 & 443.
  2. Create a security group for your apache server(s). Allow in-bound access from the ELB Security Group (a security group can reference another security group). Also add access so you can SSH into the server(s).

That's it! The security groups will block traffic that attempts to access your apache server(s) without passing through the Load Balancer.

See:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to block all accesses, except three IPs, to an absolute URL with htaccess? How could I block the unwanted request at ELB or httpd level Can ELB send requests from two different IPs simultaneously? How to block specific IPs in apache? Rerouting all http traffic to https with AWS ELB How to corectly block referrer spam IPs? How to block outgoing post requests to specific ips How to use localhost or other external IPs HTTPS redirection on AWS ELB How to use htaccess to block IPs in a laravel project dir
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM