I'm using an IP collection in a load balanced setup, I therefor want mod_security to act on the x-forwarded for header instead of the REMOTE_ADDR. Here is my rule:
SecAction "phase:1,nolog,pass,initcol:IP=%{REQUEST_HEADERS.x-forwarded-for}"
SecAction "nolog,phase:1,setvar:IP.hitcount=+1,deprecatevar:IP.hitcount=100/15"
SecRule IP:hitcount "@gt 600" "nolog,drop,phase:1,msg:'Possible DoS'"
No matter what I set the key to after the IP= i get the load balancer IP through which will obviously ban everybody. Is this a bug or am I donig something wrong? I even hard coded the key to 1.1.1.1 and it STILL set the load balancer IP in the ip.pag file. HELP! :]
Best Answer
I found the problem. I was putting this rule in the local rules file which is the last thing to be set. The IP collection had already been initialised by another rule which took precedence.
The solution was to move the top line (the one with
initcolin) to the top of the mod_security config so that all references to the IP collection use thex-forwarded-forkey that I have set rather than the defaultREMOTE_ADDR.I hope this saves someone else out there a morning of pulling their hair out! :]