Am 11.04.2014 15:34, schrieb Andre Nathan: > I'm trying to protect a webserver from DDoS attacks. The plan for this is to > not publish its IP address anywhere > public. DNS records point to a CDN service like CloudFlare. The CDN will sync > to the webserver via a random entry > in the zone, making it "undiscoverable". > > The issue I'm facing is that a malicious user would still be able to find the > real server address via Apache's > SERVER_ADDR environment variable, eg. from a PHP script. I tried using SetEnv > / SetEnvIf to change it's value or > unset it, but apparently this is not possible. I believe writing a module to > do just that won't work either, since > as I understand it, the variable is set after all modules are processed. > > Would it be a good idea to allow SERVER_ADDR to optionally not be set? I > could work on a patch to do this if the > idea is considered valid.
IMHO the wrong or a too complicated way with possible side-effects * if your IP address is not public reachable it nedds not to be protectcted * so block any incoming request to that IP from outside * allow only the rerverse proxy / CDN limited access on the network layer results in maybe somebody knows the IP which means he does not know much more than i have 127.0.0.1 and a 192.168.x.x subnet consider that it needs a malicious user with already access, really interested in that information, any clue what do with that information and finally if knowing a specific IP address opens whatever attack the problem is on a deeper level because even place it on the homepage should not do any harm otherwise all servers out there with their real IP in DNS would have a problem
signature.asc
Description: OpenPGP digital signature