Nginx – Restrict apache backend access to nginx reverse-proxy only

apache-2.2forwardingnginxreverse-proxy

I have nginx setup as a reverse-proxy for a group of apache (LAMP) backends listening on port 8080.

I've also configured each backend servers' mod_rpaf.conf file to include the proxy IP of the nginx server:

<IfModule mod_rpaf.c>
  RPAF_Enable       On
  RPAF_ProxyIPs     127.0.0.1 192.168.0.1 # <- nginx server IP
  RPAF_Header       X-Forwarded-For
  RPAF_SetHostName  On
  RPAF_SetHTTPS     On
  RPAF_SetPort      On
</IfModule>

How can i configure httpd.conf to refuse any connection that does not come from nginx?

I've tried the following:

<Directory "/var/www/html">

    Order allow,deny
    Allow from 192.168.0.1
    Allow from 127
    Deny from all

</Directory>

But this seems to restrict access to the nginx proxy itself as well as any other IPs.

Is this due mod_rpaf forwarding the client IP? If so how do I get arround this?

Best Answer

Because the mod_rpaf module forwards the real client IP, you can't block public access to the apache backend server via its own httpd.conf file.

Setting up a couple of IPtables rules will block access to port 8080 for everyone (public access) except the nginx reverse-proxy without affecting the forwarding of the clients real IP:

Run:

#iptables -A INPUT -p tcp --dport 8080 -s 192.168.0.1 -j ACCEPT
#iptables -A INPUT -p tcp --dport 8080 -j DROP

#service iptables save
#service iptables restart

Access to the apache backend server on port 8080 is now restricted to the nginx proxy only.

Related Topic