Apache Alow From specific IPs behind load balancer

apache-2.2load balancing

We have an endpoint that we've locked down to be only accessible from specific IPs. We have a conf section kinda like this:

<Location /Foo>
    Order allow,deny
    Allow from 111.111.111.111 
    Allow from 111.222.333.444
    ...
</Location>

Now, it's gotten to the point where we need to load balance it between a couple of machines, but we still need to lock it down to only be accessible from those IPs.

So… how can I set Apache to Allow from the X-Forwarded-For?

Best Answer

Presumably you have a load balancer that is doing SNAT/NAPT obscuring the client IP address.

Have you seen this answer, which solves it using SetEnvIf? Apache, use X-Forwarded-For for allow

There's a comment on that answer about forging. I'd point out that:

  • Someone who can reach your server directly (presumably an internal attacker) can fake the X-Forwarded-For header, so you should also lock Apache down to just the load balancer SNAT address(es).
  • Your load balancer should be scrubbing X-Forwarded-For headers from incoming requests so that external attackers can't fake it.