I have nginx setup as a reverse-proxy for a group of apache (LAMP) backends listening on port 8080.
I've also configured each backend servers' mod_rpaf.conf
file to include the proxy IP of the nginx server:
<IfModule mod_rpaf.c>
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 192.168.0.1 # <- nginx server IP
RPAF_Header X-Forwarded-For
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
</IfModule>
How can i configure httpd.conf
to refuse any connection that does not come from nginx?
I've tried the following:
<Directory "/var/www/html">
Order allow,deny
Allow from 192.168.0.1
Allow from 127
Deny from all
</Directory>
But this seems to restrict access to the nginx proxy itself as well as any other IPs.
Is this due mod_rpaf
forwarding the client IP? If so how do I get arround this?
Best Answer
Because the mod_rpaf module forwards the real client IP, you can't block public access to the apache backend server via its own
httpd.conf
file.Setting up a couple of IPtables rules will block access to port 8080 for everyone (public access) except the nginx reverse-proxy without affecting the forwarding of the clients real IP:
Run:
Access to the apache backend server on port 8080 is now restricted to the nginx proxy only.