Hi,
I have implement standard fe-be scheme as many times discussed
in this list and described by Stas in his guide. Sorry, if I
don't understand something simple.
Everything works but I get a problem with securing my
backend server - I want backend accepts requests only from my frontend.
I have in backend's conf file:
<Directory "/db1/w3/comps/discovery">
Options FollowSymLinks ExecCGI Includes MultiViews
AllowOverride All
Order deny,allow
Deny from all
Allow from MY_PROXY_IP
</Directory>
This should works but on some reason, I get access forbidden
for any clients. It looks like access control passes twice for
each request - first time it passes ok, because request indeed
is coming from the frontend and second time it failes because now IP
address is the IP address of original client which I get from
X-Forwarded-For header in ProxyRemoteAddr handler as
described in the Guide. Does this is expected behaivour ?
and what's a proper way to secure backend server ?
Another question:
in ProxyRemoteAddr handler there is a check for IP address of
proxy server
if ($r->connection->remote_ip eq "MY_PROXY_IP")
I have several aliases on my server and I don't know what IP address
would be used in $r->connection->remote_ip. I explicitly use
Listen MY_PROXY_IP:80 directive in configuration of proxy server
and expect MY_PROXY_IP would be in $r->connection->remote_ip
but somehow I see another IP address (alias) there.
Any idea ?
regards,
Oleg
_____________________________________________________________
Oleg Bartunov, sci.researcher, hostmaster of AstroNet,
Sternberg Astronomical Institute, Moscow University (Russia)
Internet: [EMAIL PROTECTED], http://www.sai.msu.su/~megera/
phone: +007(095)939-16-83, +007(095)939-23-83
