Proxy IP in logs

[ragu1059]

Hi there,

I'm having an issue where all my logs flag up my load-balancer IP instead of real visitor IP. This meant whenever we got a large scale attack, our load-balancers got blacklisted by ModSecurity on the servers.

I just found the option on LiteSpeed admin "Use Client IP in Header", we use Amazon Web Services and take advantage of the elastic load balancer.

There is access control on LiteSpeed but our servers only accept traffic from the load balancer so am i safe to switch the "Use Client IP in Header" setting on without having it on "Trust IP Only"? On top of this, the load-balancer only has a static hostname, the IP is dynamic.

Does this also protect us from spoofing?

Thanks in advance

 

[NiteWave]

if the proxy IP is dynamic, there is only one choice, "Use Client IP in Header:Yes"

Does this also protect us from spoofing?

although the IP is dynamic, it should have a range ?
then add the IP range in firewall, only allow these IP to access your web server. spoofing will fail completely.

 

[ragu1059]

if the proxy IP is dynamic, there is only one choice, "Use Client IP in Header:Yes"


although the IP is dynamic, it should have a range ?
then add the IP range in firewall, only allow these IP to access your web server. spoofing will fail completely.

Thanks for the reply,

Unfortunately, Amazon changes the IP constantly and regularly adds new IPs to the pool. I assume to add the IP to LiteSpeed, it means only accept headers coming from that IP?

We have limited traffic into the servers from load balancers only so any traffic is always going to come via load balancers. I assume this negates the need to whitelist proxy IPs?

Thanks

 

[NiteWave]

no need whitelist IP, since you don't know the IP or IP range.

just try "Use Client IP in Header:Yes", it's no harm and safe. and then see if it's ok or any new issue ?

 

[ragu1059]

Will do, thanks!

 

[ragu1059]

I have enabled it and it is indeed showing client IPs instead of load balancer IP.

However, i am easily being able to spoof the IP.

See screenshot.

My load balancer adds the client IP to the right but LiteSpeed chooses the first correct one. Is there a way to change this?

Thanks

 

[Pong]

Unfortunately, I believe you have no other choice. Getting static IP for your proxy it the way.