The situation is quite typical. I'm using CentOS + Apache(s) behind a Load-balancer for the WebSites.
At this point, let's assume i don't have any access to the Load-balancer (or) let's forget about that one.
Currently i'm using .htaccess to BLOCK the IPs because the native iptables is not able to block the X-Forwarded-For kind of IP addresses (as far as i understand).
My current approach works anyway. But this still allows my Apache(s) to be hit, at least.
Is there a firewall (like: iptables) which can block the X-Forwarded-For IP/connections as well?
Thanks all in advance 🙂
Best Answer
Nope, firewalls like iptables work at the tcp layer. To look at the x-forwarded-for http header you need to accept the connection and accept at least the request headers from the client before you can evaluate the x-forwarded-for IP.
By far the best place to do the blocking is on load balancer itself before the request gets passed to apache, most load balancers will have this functionality.