Hi,
I'm running a mod_perl/Mason app at a fairly large company. We have two pools
of machines, each pool with it's own pair of load balancers. One pool uses F5
BigIP, and the other uses Netscaler. The problem that I'm having is that the
Apache variable REMOTE_ADDR seems to correctly represent the client IP address
when the request is dispatched from the F5. But with the Netscalers,
REMOTE_ADDR always reflects the IP address of the load balancer itself.
Netscaler does provide the ability for us to define custom headers to maintain
true client state info (i.e. the real client IP address), and that works fine
for deriving the proper client IP insidle the mod_perl app, as well as
application logging.
The problem I'm having is that we have secret URIs (or Locations) in the
application, that we restrict by internal IP addresses, as well as
authentication. All of these secret Locations are protected using mod_access
deny/allow functionality. But because of the way the Netscalers instatiate the
incoming HTTP request with our individual nodes in the pool, we are always
seeing the balancer's IP. So, I've had to loosen my allow restrictions from
what used to be a class C subnets, to basically 10.* just to allow ourselves to
access the secret Locations through the Netscaler pool. That means if any
outside user happens to guess the secret Location(s), they can get to the
authentication part of the protection with 50% probability.
Our operations staff says we are sticking with F5's on the one pool, and
Netscaler on the other, so I have to deal with the difference. Also, we cannot
add the equivalent pass-thru header in the F5's, like the NetScalers have. How
can I restrict a secret Location by IP or domain, if the Netscalers are
incapable of preserving the real client IP when dispatching to the individual
nodes in the pool, and we cannot have the F5's replicate the pass-thru header
information the same as the Netscalers?
SetEnvIf is really not an option for us either, because we have
business/marketing folks in offices around the world that access these secret
locations. It's just not realistic to have them all set some custom header or
something, way too difficult from an IT perspective.
The only option I can think of is to abandon the access security at the apache
level, and move it into the application. Does anyone have any other ideas?
Ex. from our config:
<LocationMatch "^/+(marketing/report.*)$">
order deny,allow
deny from all
allow from 10 172.16 192.168
</LocationMatch>
Our App:
- RedHat 7.2
- Apache 1.3.28
- mod_perl 1.29
Thanks in advance for any help you can offer.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
