Solved

Apache webservers behind load balancer - restrict them to only serving traffic to the load balancer

Posted on 2014-10-30
11
171 Views
Last Modified: 2015-02-06
Hi, we have a few apache webservers behind a couple of load balancers.

I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.

I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.

Thanks!
0
Comment
Question by:jrm213jrm213
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 7

Assisted Solution

by:Stampel
Stampel earned 100 total points
ID: 40413513
In the firewall, you may only allow the load balancer IP to access apache port 80
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40413558
Something like :
iptables -A INPUT -s ip.address.of.LB -p tcp --dport http -j ACCEPT
0
 
LVL 12

Assisted Solution

by:Kent W
Kent W earned 400 total points
ID: 40413687
Here's how I do it.  Let's say your normal IP range is 192.168.1.0/24.  

Load Balancer - public eth0 -  192.168.1.10
Load Balancer - private eth1 - 192.168.10.10 (Add this so you can "talk" to other things with the same subnet)

Actual web servers "listening" IP, put them on the same network as your "private" above, say 192.168.10.20, 192.168.10.21, etc.

Setup your Virtual server on an IP from your 192.168.1.0 network (like 1.10 above), then when you add the backends, you add a private 10.0 based ip (like 192.168.10.20).

Point your DNS to the public IP on the virtual server you setup, and the LB will talk to the real web servers on the "private" IP range.  

Pretty simple, and works great.  You can also do this with one NIC, but then all traffic flows thorough it.  Remember, on your "private" range, don't worry about a Gateway.  You will be using host-to-host since your eth1 and real web servers are talking via the 10.0 network.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415536
Thanks, will review and see what I can figure out.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40415537
keep it simple :) just allow legit incoming trafic.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 40415575
Currently, do your web servers have public or private IPs? Are they behind NAT, or hanging out in that wild?
0
 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415695
They have both public and private IP's. I am not sure if they are behind NAT so I am assuming that means no. These are cloud servers.
0
 
LVL 12

Accepted Solution

by:
Kent W earned 400 total points
ID: 40415932
Ok, that clears it up.  You have two options from what I see.  Usually, with cloud servers, you get a public and private IP per cloud server.

The most secure way is to bind your real apache web servers to the private ip, instead of the default "all interfaces".
Then, just name you private IPs as the real backends on your load balancer.  I'm assuming your LB and web servers are all in the same location , and can communicate with each other via the private IPs.
This removes the public IPs from being available to the 'net, and only your LB can send traffic to your backend servers.

Or, as was stated above, simply firewall off your web ports and only allow your LB's IP to access.  

When deciding which way to go, take into account that most cloud servers don't charge for bandwidth talking over the private IP set.  You don't want to pay for bandwidth between your LB and web servers, which you probably are if they are all talking to each other over the public IPs.  Also, many large cloud companies give you more speed on the private network than on the public.  Having your LB talk to your backend servers via the private IP set is usually much more beneficial then going "all public".
0
 
LVL 62

Expert Comment

by:gheist
ID: 40423936
Apache is good load balancer writing out standard logs on its own.
0
 
LVL 17

Author Closing Comment

by:jrm213jrm213
ID: 40594617
Thanks everyone. Sorry it took so long to get back to this.

I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40595235
Very good configuration. You could use apache ACL in place of UFW...
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question