Solved

Apache webservers behind load balancer - restrict them to only serving traffic to the load balancer

Posted on 2014-10-30
11
179 Views
Last Modified: 2015-02-06
Hi, we have a few apache webservers behind a couple of load balancers.

I would like to make sure that the only web traffic that occurs is coming from the load balancers... So basically I don't want someone who knows the IP-Address of the server to be able to send http/https requests to the server via it's ip address instead of going through one of the load balancers.

I am guessing it isn't overly complicated to do this, I just need to know how to do it. We are running Apache on a Debian Linux system.

Thanks!
0
Comment
Question by:jrm213jrm213
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 7

Assisted Solution

by:Stampel
Stampel earned 100 total points
ID: 40413513
In the firewall, you may only allow the load balancer IP to access apache port 80
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40413558
Something like :
iptables -A INPUT -s ip.address.of.LB -p tcp --dport http -j ACCEPT
0
 
LVL 12

Assisted Solution

by:Kent W
Kent W earned 400 total points
ID: 40413687
Here's how I do it.  Let's say your normal IP range is 192.168.1.0/24.  

Load Balancer - public eth0 -  192.168.1.10
Load Balancer - private eth1 - 192.168.10.10 (Add this so you can "talk" to other things with the same subnet)

Actual web servers "listening" IP, put them on the same network as your "private" above, say 192.168.10.20, 192.168.10.21, etc.

Setup your Virtual server on an IP from your 192.168.1.0 network (like 1.10 above), then when you add the backends, you add a private 10.0 based ip (like 192.168.10.20).

Point your DNS to the public IP on the virtual server you setup, and the LB will talk to the real web servers on the "private" IP range.  

Pretty simple, and works great.  You can also do this with one NIC, but then all traffic flows thorough it.  Remember, on your "private" range, don't worry about a Gateway.  You will be using host-to-host since your eth1 and real web servers are talking via the 10.0 network.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415536
Thanks, will review and see what I can figure out.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40415537
keep it simple :) just allow legit incoming trafic.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 40415575
Currently, do your web servers have public or private IPs? Are they behind NAT, or hanging out in that wild?
0
 
LVL 17

Author Comment

by:jrm213jrm213
ID: 40415695
They have both public and private IP's. I am not sure if they are behind NAT so I am assuming that means no. These are cloud servers.
0
 
LVL 12

Accepted Solution

by:
Kent W earned 400 total points
ID: 40415932
Ok, that clears it up.  You have two options from what I see.  Usually, with cloud servers, you get a public and private IP per cloud server.

The most secure way is to bind your real apache web servers to the private ip, instead of the default "all interfaces".
Then, just name you private IPs as the real backends on your load balancer.  I'm assuming your LB and web servers are all in the same location , and can communicate with each other via the private IPs.
This removes the public IPs from being available to the 'net, and only your LB can send traffic to your backend servers.

Or, as was stated above, simply firewall off your web ports and only allow your LB's IP to access.  

When deciding which way to go, take into account that most cloud servers don't charge for bandwidth talking over the private IP set.  You don't want to pay for bandwidth between your LB and web servers, which you probably are if they are all talking to each other over the public IPs.  Also, many large cloud companies give you more speed on the private network than on the public.  Having your LB talk to your backend servers via the private IP set is usually much more beneficial then going "all public".
0
 
LVL 62

Expert Comment

by:gheist
ID: 40423936
Apache is good load balancer writing out standard logs on its own.
0
 
LVL 17

Author Closing Comment

by:jrm213jrm213
ID: 40594617
Thanks everyone. Sorry it took so long to get back to this.

I have set the firewall using UFW on top of iptables to only allow web traffic on the internal eth adapter and to only accept it from the full possible spectrum of ip's that the load balancers in my hosting location may use. Everything else is blocked by the firewall and I even went so far as to disable eth0 (the public ip address adapter) and everything is working great.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40595235
Very good configuration. You could use apache ACL in place of UFW...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question