Created
July 7, 2018 11:12
-
-
Save leedohyung-dba/504323df822d19bcd1145bfe9e52addd to your computer and use it in GitHub Desktop.
前段にWAFがあるWebサーバにmod_rewrite設定した後、特定IPだけ許可する設定の問題点と解決方法 ref: https://qiita.com/leedohyung-dba/items/9bc24a8d289f0c44ae1c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo "RemoteIPHeader X-Forwarded-For" > /etc/httpd24/conf.d/mod_remoteip.conf | |
echo "RemoteIPTrustedProxy <WAFのIPアドレス1> <WAFのIPアドレス2>" >> /etc/httpd24/conf.d/mod_remoteip.conf | |
service httpd24-httpd restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2.2系以前のApache | |
Order deny,allow | |
Deny from all | |
Allow from <WAFのIPアドレス> | |
# 2.4系以降のApache | |
Require all denied | |
Require ip <WAFのIPアドレス> | |
//or | |
# WAFのIPアドレス 以外からのアクセスを拒否 | |
RewriteEngine On | |
RewriteCond %{REMOTE_ADDR} ^(<WAFのIPアドレス1>|<WAFのIPアドレス2>)$ | |
RewriteRule ^.*$ - [F,L] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP | |
iptables -I INPUT -p tcp -s <WAFのIPアドレス1> --dport 80 -j ACCEPT | |
iptables -I INPUT -p tcp -s <WAFのIPアドレス2> --dport 80 -j ACCEPT | |
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 443 -j DROP | |
iptables -I INPUT -p tcp -s <WAFのIPアドレス1> --dport 443 -j ACCEPT | |
iptables -I INPUT -p tcp -s <WAFのIPアドレス2> --dport 443 -j ACCEPT | |
service iptables restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment