Apache webservers behind load balancer - restrict them to only serving traffic to the load balancer

Hi, we have a few apache webservers behind a couple of load balancers.

I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.

I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.

Thanks!
LVL 17
jrm213jrm213Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StampelCommented:
In the firewall, you may only allow the load balancer IP to access apache port 80
0
StampelCommented:
Something like :
iptables -A INPUT -s ip.address.of.LB -p tcp --dport http -j ACCEPT
0
Kent WSr. Network / Systems AdminCommented:
Here's how I do it.  Let's say your normal IP range is 192.168.1.0/24.  

Load Balancer - public eth0 -  192.168.1.10
Load Balancer - private eth1 - 192.168.10.10 (Add this so you can "talk" to other things with the same subnet)

Actual web servers "listening" IP, put them on the same network as your "private" above, say 192.168.10.20, 192.168.10.21, etc.

Setup your Virtual server on an IP from your 192.168.1.0 network (like 1.10 above), then when you add the backends, you add a private 10.0 based ip (like 192.168.10.20).

Point your DNS to the public IP on the virtual server you setup, and the LB will talk to the real web servers on the "private" IP range.  

Pretty simple, and works great.  You can also do this with one NIC, but then all traffic flows thorough it.  Remember, on your "private" range, don't worry about a Gateway.  You will be using host-to-host since your eth1 and real web servers are talking via the 10.0 network.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jrm213jrm213Author Commented:
Thanks, will review and see what I can figure out.
0
StampelCommented:
keep it simple :) just allow legit incoming trafic.
0
Kent WSr. Network / Systems AdminCommented:
Currently, do your web servers have public or private IPs? Are they behind NAT, or hanging out in that wild?
0
jrm213jrm213Author Commented:
They have both public and private IP's. I am not sure if they are behind NAT so I am assuming that means no. These are cloud servers.
0
Kent WSr. Network / Systems AdminCommented:
Ok, that clears it up.  You have two options from what I see.  Usually, with cloud servers, you get a public and private IP per cloud server.

The most secure way is to bind your real apache web servers to the private ip, instead of the default "all interfaces".
Then, just name you private IPs as the real backends on your load balancer.  I'm assuming your LB and web servers are all in the same location , and can communicate with each other via the private IPs.
This removes the public IPs from being available to the 'net, and only your LB can send traffic to your backend servers.

Or, as was stated above, simply firewall off your web ports and only allow your LB's IP to access.  

When deciding which way to go, take into account that most cloud servers don't charge for bandwidth talking over the private IP set.  You don't want to pay for bandwidth between your LB and web servers, which you probably are if they are all talking to each other over the public IPs.  Also, many large cloud companies give you more speed on the private network than on the public.  Having your LB talk to your backend servers via the private IP set is usually much more beneficial then going "all public".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Apache is good load balancer writing out standard logs on its own.
0
jrm213jrm213Author Commented:
Thanks everyone. Sorry it took so long to get back to this.

I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
0
gheistCommented:
Very good configuration. You could use apache ACL in place of UFW...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.