3

I'm using an IP collection in a load balanced setup, I therefor want mod_security to act on the x-forwarded for header instead of the REMOTE_ADDR. Here is my rule:

SecAction "phase:1,nolog,pass,initcol:IP=%{REQUEST_HEADERS.x-forwarded-for}"
SecAction "nolog,phase:1,setvar:IP.hitcount=+1,deprecatevar:IP.hitcount=100/15"
SecRule IP:hitcount "@gt 600" "nolog,drop,phase:1,msg:'Possible DoS'"

No matter what I set the key to after the IP= i get the load balancer IP through which will obviously ban everybody. Is this a bug or am I donig something wrong? I even hard coded the key to 1.1.1.1 and it STILL set the load balancer IP in the ip.pag file. HELP! :]

Caseus
  • 73
  • 5

2 Answers2

3

I found the problem. I was putting this rule in the local rules file which is the last thing to be set. The IP collection had already been initialised by another rule which took precedence.

The solution was to move the top line (the one with initcol in) to the top of the mod_security config so that all references to the IP collection use the x-forwarded-for key that I have set rather than the default REMOTE_ADDR.

I hope this saves someone else out there a morning of pulling their hair out! :]

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
Caseus
  • 73
  • 5
0

I also researched the problem with mod_security behind a proxy/load balancer. You could try mod_rpaf or mod_extract_forwarded2 so you don't have to adjust your rules.

See http://blog.modsecurity.org/2007/09/index.html

KCD
  • 958
  • 3
  • 12
  • 24