Hello I'm trying to protect a webserver from DDoS attacks. The plan for this is to not publish its IP address anywhere public. DNS records point to a CDN service like CloudFlare. The CDN will sync to the webserver via a random entry in the zone, making it "undiscoverable".
The issue I'm facing is that a malicious user would still be able to find the real server address via Apache's SERVER_ADDR environment variable, eg. from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or unset it, but apparently this is not possible. I believe writing a module to do just that won't work either, since as I understand it, the variable is set after all modules are processed. Would it be a good idea to allow SERVER_ADDR to optionally not be set? I could work on a patch to do this if the idea is considered valid. Thanks in advance, Andre
