Hey, You could do it through 2 HAProxy instances: - the first instance use the IP address from the X-forward-for header to get connected on the second one (through the proxy protocol, using a patched kernel). - the second can rate limit based on the source IP provided through the proxy protocol.
Note that the DG of the second HAProxy server must be the first haproxy instance (otherwise it would answer directly to the client and the connection would be dropped by some firewalls or the client itself). You have to use HAProxy 1.5. Some reading for you: http://blog.exceliance.fr/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/ I'm not saying that you must replace the reverse proxy in DMZ by HAProxy, but only that installing 2 layers of HAProxy could do the job for you. cheers On Fri, Jun 15, 2012 at 12:08 PM, John - <[email protected]> wrote: > My organisation is currently structured such that all incoming/outgoing web > traffic is routed through a HTTP proxy server on the network perimeter, and > websites we host internally are reverse-proxied through this server for > external access. In this way, any web server my team maintains can only use > the X-Forwarded-For HTTP header to indicate a request's origin on the > internet. > I've been able to configure a rate limiting instance of HAProxy based around > this example (http://blog.serverfault.com/2010/08/26/1016491873/), however, > as expected this configuration only ever identifies the reverse proxy's > address as a HTTP request's origin and will rate limit all traffic to the > server, rather than being able to pick specific malicious IPs. Is there any > way a similar configuration could be created to use the X-Forwarded-For > information when rate limiting? I've been able to configure Nginx to do > this, though it's raw performance is nothing like what I've seen from > HAProxy so far. > I know configuring rate limiting or alternative security measures on the > reverse proxy itself would be the best solution, though organisational > constraints currently prevent this. > > Any help would be much appreciated.
