Reverse proxy like DNAT, any chance? :)

Hi ppl,

Maybe it's look like a stupid question, but, is there any way to make
apache acting as a "reverse proxy" send the original IP source to
destination? Like iptables DNAT ?

Coz I need protect users/server (HTTPS) and webserver (IDS), but my
SSL-out box (apache RP) send its own IP to apache webserver, not
original source... then I cant just block SSL-out box IP (but I need a
active response from Snort... even passive, a lot of alerts from
SSL-out IP doesnt help so much).

There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER

Thanks :)

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Reverse proxy like DNAT, any chance? :)

> -----Message d'origine-----
> De=A0: Carlos Andr=E9 [mailto:candrecn@gmail.com]
> Envoyé : mercredi 28 octobre 2009 13:06
> À : users@httpd.apache.org
> Objet=A0: [users@httpd] Reverse proxy like DNAT, any chance? :)
>=20
> Hi ppl,
>=20
> Maybe it's look like a stupid question, but, is there any way to make
> apache acting as a "reverse proxy" send the original IP source to
> destination? Like iptables DNAT ?
>=20
> Coz I need protect users/server (HTTPS) and webserver (IDS), but my
> SSL-out box (apache RP) send its own IP to apache webserver, not
> original source... then I cant just block SSL-out box IP (but I need a
> active response from Snort... even passive, a lot of alerts from
> SSL-out IP doesnt help so much).
>=20
> There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER
>=20
> Thanks :)
>=20

Hi,

Would there be any chance your IDS extract the source address info from the=
"X-forwarded-for" header instead of the source IP ?

Regards.

Emmanuel

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Reverse proxy like DNAT, any chance? :)

Hi Emmanuel,

I'm using Snort.
It dont (yet) permit use of "X-Forwarded-For" :(
Anyway since I cant block IP of SSL-out box, then this feature come
out I cant put a inline IDS with active response function on same box.
Maybe IDS sensor after SSL-out box, then, on a event... send a command
to SSL-out box to DROP attacker IP... Or just put IDS and SSL-out on
same box... (I prefer segregate, anyway sending a DROP command to
another box will slow down response a little...) If any event detected
from a X-Forwarded IP then just put on iptables (-I INPUT -s
-j DROP) or something like that...


On Wed, Oct 28, 2009 at 9:29 AM, Emmanuel Bailleul
wrote:
>> -----Message d'origine-----
>> De=A0: Carlos Andr=E9 [mailto:candrecn@gmail.com]
>> Envoyé : mercredi 28 octobre 2009 13:06
>> À : users@httpd.apache.org
>> Objet=A0: [users@httpd] Reverse proxy like DNAT, any chance? :)
>>
>> Hi ppl,
>>
>> Maybe it's look like a stupid question, but, is there any way to make
>> apache acting as a "reverse proxy" send the original IP source to
>> destination? Like iptables DNAT ?
>>
>> Coz I need protect users/server (HTTPS) and webserver (IDS), but my
>> SSL-out box (apache RP) send its own IP to apache webserver, not
>> original source... then I cant just block SSL-out box IP (but I need a
>> active response from Snort... even passive, a lot of alerts from
>> SSL-out IP doesnt help so much).
>>
>> There my conf: INTERNET---HTTPS---SSLOUTBOX---HTTP---IDS---WEBSERVER
>>
>> Thanks :)
>>
>
> Hi,
>
> Would there be any chance your IDS extract the source address info from t=
he "X-forwarded-for" header instead of the source IP ?
>
> Regards.
>
> Emmanuel
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org