How can I add IP to my mod_security "whitelist.file" when all IPS begins like that 90.12.131. will be open?
I try to add ^ before IP but it dosn't work.
^90.12.131
Please, Someone?
Thanks,
Oz.
SecRule REMOTE_ADDR "^90\.12\.131" "phase:1,nolog,allow"
or
SecRule REMOTE_ADDR "#ipMatch 90.12.131.0/24" "phase:1,nolog,allow"
write in a file,like this
whitelist.file,a dot end with it
90.12.131.
SecRule REMOTE_ADDR "#pmf whitelist.file" "phase:1,nolog,allow"
Related
I've written a NGINX whitelister service inside my K8 cluster. Because everything entering the cluster goes through the load balancer, I had to whitelist the forwarded IP address instead of the source IP directly.
In testing, I hardcoded it like this in the NGINX config:
set_real_ip_from x.x.x.x;
real_ip_header X-Forwarded-For;
Where x.x.x.x was the IP of the load balancer.
This worked.
I can't hardcode the IP in the actual deployment, so I was hoping to use the kube-dns service, like I used for the proxy_pass:
resolver kube-dns.kube-system.svc.cluster.local;
proxy_pass http://{service}.{namespace}.svc.cluster.local:$server_port;
Which also works.
However, this DNS lookup doesn't seem to work for set_real_ip_from:
resolver kube-dns.kube-system.svc.cluster.local;
set_real_ip_from {load balancer service}.kube-system.svc.cluster.local;
real_ip_header X-Forwarded-For;
When I run this, I just get access forbidden by rule, client: x.x.x.x(it's not in the whitelist), where x.x.x.x is the load balancer's IP. That kinda makes sense, since set_real_ip_from probably doesn't know to lookup the IP.
Is it possible to have NGINX do a DNS lookup for the forwarder address?
If not, maybe someone has a better way to do this.
Thanks!
I guess I just needed to sleep on this. Much simpler than I was making it.
I know the range that the load balancer should fall into, so I can just do a CIDR block for set_real_ip_from.
For example:
set_real_ip_from 10.60.0.0/16;
real_ip_header X-Forwarded-For;
And there is no need for a DNS lookup.
I work on one website which is travel blog and there is sub section mytravelsite.com/tickets which is whitelabel and everything under that mytravelsite.com/tickets/fares and other pages are pointing to another ip and this works fine.
But now i would like to switch and now main site to be mytravelsite.com which would be whitelabel from mytravelsite.com/tickets but without /tickets in url but still keep my blog so another trouble is that whitelabel don't have robots.txt so this i would have to serve too from my hosting.
So in the end i have hosting with 10.1.1.1 ip and whitelabel that resolve to 10.10.10.10 ip
What i need is:
everything under mytravelsite.com/blog to resolve to my hosting and my hosted website on 10.1.1.1
and also mytravelsite.com/robots.txt and mytravelsite.com/sitemap.xml to resolve to my hosting on 10.1.1.1
and everything else to resolve to the whitelabel at 10.10.10.10
i am guessing that this can be done either with some dns setup or nginx proxy or rewrite rules but everything i searched on internet for last 2 days ended up in failure.
DNS only considers the name, i.e. the part before the slash. You have always mytravelsite.com, so this can't be done purely in DNS.
I know this isn't a real/full answer.
I would try to solve it using proxy.
The included snippet is not a configuration of nginx but of an apache as I don't have similar setup for nginx within my reach now. But I believe it can be useful starting point though.
<VirtualHost 10.10.10.10:80>
ServerName mytravelsite.com
ProxyPreserveHost On
ProxyPass /blog/ http://10.1.1.1/ retry=1 timeout=600 keepalive=On
ProxyPassReverse /blog/ http://10.1.1.1/
ProxyPass /robots.txt http://10.1.1.1/ retry=1 timeout=600 keepalive=On
ProxyPassReverse /robots.txt http://10.1.1.1/
ProxyPass /sitemap.xml http://10.1.1.1/ retry=1 timeout=600 keepalive=On
ProxyPassReverse /sitemap.xml http://10.1.1.1/
</VirtualHost>
Notes:
10.*.*.* is a local-only network, so the 10.10.10.10 within the
virtualhost header is just for an illustration on what server this
definition should be put.
It also will not be working out of the box - just start here and
iterate to a final solution
You have not defined how could "your hosted website" be identified, therefore it is missing in the example
I have an nginx instance behind apache. I have a rewrite in apache to pass the REMOTE_USER through to the backend:
<Proxy *>
...
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}]
RequestHeader add Proxy-User %{PROXY_USER}e
RequestHeader add Remote-User %{PROXY_USER}e
</Proxy>
So in my backend nginx instance, i can see the env variables HTTP_PROXY_USER and HTTP_REMOTE_USER. Good.
Rather than fork off my authentication code to pick up HTTP_REMOTE_USER rather than REMOTE_USER, is there a way i can force nginx to rewrite the header for me?
I'm having some(a lot of) difficulties, trying to setup a reverse proxy for Kibana.
The general idea is that we want to set up a reverse proxy so select customers have access to Kibana. E.g. when customer A goes to "kibana.company.com/ customera" he is automatically forwarded to Kibana and has access to logistics about their data. We have multiple customers we need to proxy, so eventually we will set up ldap or AD, to help us handle this.
So far i've tried both Apache2 and Nginx, but i've run into problems using both of them. I'm currently working on Apache, with a very simple configuration.
http://pastebin.com/1gt5KLyP
When i go to localhost/kibana/ i'm forwarded to localhost/app/kibana, but i get a URL not found message.
As far as NginX goes, i run into a problem where i forward to Kibana, but it get's indefinitely stuck in a loading loop. ("Kibana is loading blablabla... good stuff will be cached"), but i never actually shows the dashboard, no matter which configuration i tried, i could never get the dashboard to show. This is a sample config, but it's changed a lot during testing.
http://pastebin.com/PP4Fu1Cs
Am i going about it the right way or is their a simpler way to do what i'm trying to do.
EDIT: I'm now getting the same results with Apache after adding
ProxyPass /kibana/ http:// ip /app/kibana
ProxyPassReverse /kibana/ http:// ip /app/kibana
Can you do a FIDDLER and see where it is stuck.
I did a Reverse Proxy using Apache with the following config successfully.
ProxyPreserveHost ON
ProxyPass /portal1 http://IP1/home
ProxyPassReverse /portal2 http://IP2/home
These are the modules I loaded
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfModule mod_proxy.c>
ProxyVia On
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
</IfModule>
To get rid of the problem where Kibana is stuck forever on the loading screen, you can try the following:
Stop the Kibana service, on Ubuntu:
sudo service kibana stop
Delete optimize/bundles directory:
sudo rm -rf /opt/kibana/optimize/bundles
Start the Kibana service, on Ubuntu:
sudo service kibana start
Wait for a minute or so before reloading the browser (you can keep an eye on the log at /var/log/kibana.log to see when the server is ready again).
I think your proxy is blocking some of kibana's requests. Check in your browser inspector all requests and responses there shouldn't be any errors.
There is a simple configuration in nginx:
location ~ (|/app/kibana|/bundles/|/status|/plugins|/elasticsearch/|) {
proxy_pass http://kibana:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /(.*)$ /$1 break;
}
If you want to show just charts without any additional buttons and panels, just add ?embed=true parameter to your url e.g.
http://kibana/app/kibana#/visualize/edit/chart?embed=true&_g=(refreshInterval:(display:Off,pause:!f,value:0),...
Is it possible to specify which source IP address nginx will use when connecting to upstream?
Basically something like tcp_outgoing_address in squid.
Edit
Goal is to have something like tcp_outgoing_address $server_addr; under location or server block in nginx configuration, so same ip would be used connecting to upstream as $server_addr variable.
There's proxy_bind directive for that.