• Blocking IP’s while behind an Amazon ELB with Apache

    So Amazon does not allow accept/deny rules on their firewall system which is beyond silly in this day and age, but I digress. If you want to limit access to an apache server behind Amazon’s Elastic Load Balancer, your options are fairly sparse (although there are options).

    One such way to accomplish this is to first allow logging of the IP from the ELB using the X-Forwarded-For header. You can see how to do this here.

    So once you have setup logging of the IP’s in the apache logs, you now want to adjust the site configuration files. We have individual files in /etc/apache2/sites-available, so we add the following to the specific site. You may do something similar or you may have it all in a httpd.conf, or you can even put this into a .htaccess file.

    This is what you add into you <DIRECTORY /siteroot/ > or .htaccess:

    SetEnvIF X-Forwarded-For "(,| |^)XXX\.XXX\.XXX\.XXX(,| |$)" DenyIP
    SetEnvIF X-Forwarded-For "(,| |^)YYY\.YYY\.YYY\.YYY(,| |$)" DenyIP
    SetEnvIF X-Forwarded-For "(,| |^)ZZZ\.ZZZ\.ZZZ\.ZZZ(,| |$)" DenyIP
                    Options Indexes FollowSymLinks MultiViews  #USE WHATEVER SETTINGS YOU WANT HERE
                    AllowOverride All
                    Order allow,deny
                    deny from env=DenyIP #THIS IS WHAT WILL DENY THE IP'S LISTED ABOVE 
                    allow from all

    Those settings above will prevent IP’s XXX.XXX.XXX.XXX, YYY.YYY.YYY.YYY and ZZZ.ZZZ.ZZZ.ZZZ from connecting to the server. Alas this can be circumvented by spoofing the XFF header but it does give a bit of control when you see a single host hammering your servers over and over again.


    1 responses to “Blocking IP’s while behind an Amazon ELB with Apache” RSS icon

    • Tried to do this on a HAProxy with Apache2 and mod_remote IP but it just won’t work.
      The logs are fine, but the deny fails.

    Leave a reply