Blocking IP’s while behind an Amazon ELB with Apache

So Amazon does not allow accept/deny rules on their firewall system which is beyond silly in this day and age, but I digress. If you want to limit access to an apache server behind Amazon’s Elastic Load Balancer, your options are fairly sparse (although there are options).

One such way to accomplish this is to first allow logging of the IP from the ELB using the X-Forwarded-For header. You can see how to do this here.

So once you have setup logging of the IP’s in the apache logs, you now want to adjust the site configuration files. We have individual files in /etc/apache2/sites-available, so we add the following to the specific site. You may do something similar or you may have it all in a httpd.conf, or you can even put this into a .htaccess file.





This is what you add into you <DIRECTORY /siteroot/ > or .htaccess:

SetEnvIF X-Forwarded-For "(,| |^)XXX\.XXX\.XXX\.XXX(,| |$)" DenyIP
SetEnvIF X-Forwarded-For "(,| |^)YYY\.YYY\.YYY\.YYY(,| |$)" DenyIP
SetEnvIF X-Forwarded-For "(,| |^)ZZZ\.ZZZ\.ZZZ\.ZZZ(,| |$)" DenyIP
                Options Indexes FollowSymLinks MultiViews  #USE WHATEVER SETTINGS YOU WANT HERE
                AllowOverride All
                Order allow,deny
                deny from env=DenyIP #THIS IS WHAT WILL DENY THE IP'S LISTED ABOVE 
                allow from all
        

Those settings above will prevent IP’s XXX.XXX.XXX.XXX, YYY.YYY.YYY.YYY and ZZZ.ZZZ.ZZZ.ZZZ from connecting to the server. Alas this can be circumvented by spoofing the XFF header but it does give a bit of control when you see a single host hammering your servers over and over again.