servers behind load balancer - need to allow access based on x-forwarded-for

I have multiple servers behind a load balancer, I am trying to deny access to certain files unless you come from our buildings IP Address. I have tried a number of different things but I cannot seem to make this work. The servers are Rackspace Cloud Servers behind a Rackspace Load Balancer. I am using .htaccess for the sites and have tried the following.

<Files myfile.php>
Order Allow,Deny
Deny from all
SetEnvIF X-Forwarded-For "x.x.x.x" AllowIP
SetEnvIF X-Forwarded-For "y.y.y.y" AllowIP
Allow from env=AllowIP
</Files>

Open in new window


So I guess the question has a couple of parts

1. Is the above the right way to do this?
2. Since it isn't working (I get denied as well as everyone else) how do tell if X-Forwarded-For is being set and see what format it is in?
3. If the above isn't the right way to do this, what is?

Thanks for your help
LVL 17
jrm213jrm213Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bernard S.CTOCommented:
I would rather change your code to
<Files myfile.php>
Order Allow,Deny
Deny from all
Allow from x.x.x.x y.y.y.y
</Files>

Open in new window

wich would grant access from IPs  x.x.x.x y.y.y.y and disallow from others

This has probably no effect on your expected balancing though
0
Richard RCommented:
You can try something like this:

Deny from All
SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
Allow from env=AllowIP
Allow from 1.2.3.4

Open in new window


If you only have a file to protect, you can put this inside that file or inside a include.
<?php
$INCOMING = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ALLOWED = "1.2.3.4";
if ($INCOMING != $ALLOWED)
{
	echo "Access denied!";
	exit;
}
?>

Open in new window


If this doesn't work. Make sure that your X-Forwarded-For header is correct, with the expected IP Address.

Hope this helps!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Richard RCommented:
Any update on this? Did you get to test the solutions?
0
jrm213jrm213Author Commented:
Hi,

Sorry for the delay, I am apparently not getting notifications when people reply.

@rr100 your post works, I guess I am confused why you need the double entry. For exmple if
Deny from All
SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
Allow from env=AllowIP

Open in new window


why do you then need to also include,
Allow from 1.2.3.4
shouldn't AllowIP be set and that handle the allow?

So to allow from multiple ip's I need to add in

Deny from All
SetEnvIF X-Forwarded-For "1.2.3.4" AllowIP
SetEnvIF X-Forwarded-For "2.3.4.5" AllowIP
SetEnvIF X-Forwarded-For "3.4.5.6" AllowIP
Allow from env=AllowIP
Allow from 1.2.3.4
Allow from 2.3.4.5
Allow from 3.4.5.6

Open in new window


just seems redundant so I never thought to do that.
0
Richard RCommented:
Correct, it seems redundant, I've always used it like that. But from my point of view (without reading documentations), We're assigning the IPs from X-Forwarded-For to the AllowIP, which I guess sets each one as if they were a regular client IP, after that we are allowed to add the rules to Deny or Allow, maybe think of it as a filter/converter.
That's my guess, I would have to read on it to find out exactly what happens behind the scene.

Glad it works for you though.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.