Solved

Apache webservers behind load balancer - restrict them to only serving traffic to the load balancer

Posted on 2014-10-30
11
185 Views
Last Modified: 2015-02-06
Hi, we have a few apache webservers behind a couple of load balancers.

I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.

I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.

Thanks!
0
Comment
Question by:jrm213jrm213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 7

Assisted Solution

by:Stampel
Stampel earned 100 total points
ID: 40413513
In the firewall, you may only allow the load balancer IP to access apache port 80
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40413558
Something like :
iptables -A INPUT -s ip.address.of.LB -p tcp --dport http -j ACCEPT
0
 
LVL 12

Assisted Solution

by:Kent W
Kent W earned 400 total points
ID: 40413687
Here's how I do it.  Let's say your normal IP range is 192.168.1.0/24.  

Load Balancer - public eth0 -  192.168.1.10
Load Balancer - private eth1 - 192.168.10.10 (Add this so you can "talk" to other things with the same subnet)

Actual web servers "listening" IP, put them on the same network as your "private" above, say 192.168.10.20, 192.168.10.21, etc.

Setup your Virtual server on an IP from your 192.168.1.0 network (like 1.10 above), then when you add the backends, you add a private 10.0 based ip (like 192.168.10.20).

Point your DNS to the public IP on the virtual server you setup, and the LB will talk to the real web servers on the "private" IP range.  

Pretty simple, and works great.  You can also do this with one NIC, but then all traffic flows thorough it.  Remember, on your "private" range, don't worry about a Gateway.  You will be using host-to-host since your eth1 and real web servers are talking via the 10.0 network.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415536
Thanks, will review and see what I can figure out.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40415537
keep it simple :) just allow legit incoming trafic.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 40415575
Currently, do your web servers have public or private IPs? Are they behind NAT, or hanging out in that wild?
0
 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415695
They have both public and private IP's. I am not sure if they are behind NAT so I am assuming that means no. These are cloud servers.
0
 
LVL 12

Accepted Solution

by:
Kent W earned 400 total points
ID: 40415932
Ok, that clears it up.  You have two options from what I see.  Usually, with cloud servers, you get a public and private IP per cloud server.

The most secure way is to bind your real apache web servers to the private ip, instead of the default "all interfaces".
Then, just name you private IPs as the real backends on your load balancer.  I'm assuming your LB and web servers are all in the same location , and can communicate with each other via the private IPs.
This removes the public IPs from being available to the 'net, and only your LB can send traffic to your backend servers.

Or, as was stated above, simply firewall off your web ports and only allow your LB's IP to access.  

When deciding which way to go, take into account that most cloud servers don't charge for bandwidth talking over the private IP set.  You don't want to pay for bandwidth between your LB and web servers, which you probably are if they are all talking to each other over the public IPs.  Also, many large cloud companies give you more speed on the private network than on the public.  Having your LB talk to your backend servers via the private IP set is usually much more beneficial then going "all public".
0
 
LVL 62

Expert Comment

by:gheist
ID: 40423936
Apache is good load balancer writing out standard logs on its own.
0
 
LVL 17

Author Closing Comment

by:jrm213jrm213
ID: 40594617
Thanks everyone. Sorry it took so long to get back to this.

I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40595235
Very good configuration. You could use apache ACL in place of UFW...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question