Apache webservers behind load balancer - restrict them to only serving traffic to the load balancer
Hi, we have a few apache webservers behind a couple of load balancers.
I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.
I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.
Thanks!
I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.
I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.
Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, will review and see what I can figure out.
keep it simple :) just allow legit incoming trafic.
Currently, do your web servers have public or private IPs? Are they behind NAT, or hanging out in that wild?
ASKER
They have both public and private IP's. I am not sure if they are behind NAT so I am assuming that means no. These are cloud servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Apache is good load balancer writing out standard logs on its own.
ASKER
Thanks everyone. Sorry it took so long to get back to this.
I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
Very good configuration. You could use apache ACL in place of UFW...
iptables -A INPUT -s ip.address.of.LB -p tcp --dport http -j ACCEPT