Solved

Apache webservers behind load balancer - restrict them to only serving traffic to the load balancer

Posted on 2014-10-30
11
170 Views
Last Modified: 2015-02-06
Hi, we have a few apache webservers behind a couple of load balancers.

I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.

I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.

Thanks!
0
Comment
Question by:jrm213jrm213
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 7

Assisted Solution

by:Stampel
Stampel earned 100 total points
ID: 40413513
In the firewall, you may only allow the load balancer IP to access apache port 80
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40413558
Something like :
iptables -A INPUT -s ip.address.of.LB -p tcp --dport http -j ACCEPT
0
 
LVL 12

Assisted Solution

by:Kent W
Kent W earned 400 total points
ID: 40413687
Here's how I do it.  Let's say your normal IP range is 192.168.1.0/24.  

Load Balancer - public eth0 -  192.168.1.10
Load Balancer - private eth1 - 192.168.10.10 (Add this so you can "talk" to other things with the same subnet)

Actual web servers "listening" IP, put them on the same network as your "private" above, say 192.168.10.20, 192.168.10.21, etc.

Setup your Virtual server on an IP from your 192.168.1.0 network (like 1.10 above), then when you add the backends, you add a private 10.0 based ip (like 192.168.10.20).

Point your DNS to the public IP on the virtual server you setup, and the LB will talk to the real web servers on the "private" IP range.  

Pretty simple, and works great.  You can also do this with one NIC, but then all traffic flows thorough it.  Remember, on your "private" range, don't worry about a Gateway.  You will be using host-to-host since your eth1 and real web servers are talking via the 10.0 network.
0
 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415536
Thanks, will review and see what I can figure out.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40415537
keep it simple :) just allow legit incoming trafic.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 12

Expert Comment

by:Kent W
ID: 40415575
Currently, do your web servers have public or private IPs? Are they behind NAT, or hanging out in that wild?
0
 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415695
They have both public and private IP's. I am not sure if they are behind NAT so I am assuming that means no. These are cloud servers.
0
 
LVL 12

Accepted Solution

by:
Kent W earned 400 total points
ID: 40415932
Ok, that clears it up.  You have two options from what I see.  Usually, with cloud servers, you get a public and private IP per cloud server.

The most secure way is to bind your real apache web servers to the private ip, instead of the default "all interfaces".
Then, just name you private IPs as the real backends on your load balancer.  I'm assuming your LB and web servers are all in the same location , and can communicate with each other via the private IPs.
This removes the public IPs from being available to the 'net, and only your LB can send traffic to your backend servers.

Or, as was stated above, simply firewall off your web ports and only allow your LB's IP to access.  

When deciding which way to go, take into account that most cloud servers don't charge for bandwidth talking over the private IP set.  You don't want to pay for bandwidth between your LB and web servers, which you probably are if they are all talking to each other over the public IPs.  Also, many large cloud companies give you more speed on the private network than on the public.  Having your LB talk to your backend servers via the private IP set is usually much more beneficial then going "all public".
0
 
LVL 61

Expert Comment

by:gheist
ID: 40423936
Apache is good load balancer writing out standard logs on its own.
0
 
LVL 17

Author Closing Comment

by:jrm213jrm213
ID: 40594617
Thanks everyone. Sorry it took so long to get back to this.

I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40595235
Very good configuration. You could use apache ACL in place of UFW...
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS EC2 Linux 1 54
VMWare 6 crashing 14 98
How to learn Linux? 10 43
Reset Root Password on CentOS 6 4 44
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now