Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..
49 views

restrict acces only to F5 not working - oo tls offloading

OO 2018.12

F5 load balancer behind 2 central nodes. Using a VIP for client and another VIP for RAS.

We need to restrict the direct access to central nodes only for the ip who makes the request (in this example the F5 self IP an localhost).

Adding this line to the server.xml should do the work, but I have 403 both from the nodes and the VIP:

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1|::1|0:0:0:0:0:0:0:1|172\.31\.218\.250"/>

This is an example of the localhost access log,172.31.218.250 is the F5 self IP, shown here as the remote ip according to the access log pattern. The italic hostname (oocentral-test) is the VIP name, in the pattern is the localserver name. The ip 172.31.11.166 is the client ip, refereed by {X-Forwarded-For}i cookie.

172.31.218.250||-||-||[07/Jul/2020:09:42:14 -0300]||POST||oocentral-test||/oo/j_spring_security_check||?hashSign=/systemWorkspace/topology||HTTP/1.1||403||-||https://oocentral-test/oo/login/login-form||Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36||JSESSIONID=452F4431602ADF2B1D13B8F60DDA2480; X-CSRF-TOKEN-OO=4bd5c4ec-2cf1-428f-ab81-7d7e5328b756; BIGipServerOperations_Orchestration_POOL=1121656748.47873.0000||172.31.218.250||172.31.11.166||

server.xml logging valve configuration

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${oo.home}/var/logs" prefix="access_log" suffix=".txt" pattern="%h||%l||%u||%t||%m||%v||%U||%q||%H||%s||%b||%{Referer}i||%{User-Agent}i||%{Cookie}i||%a||%{x-forwarded-for}i||%{x-forwarded-by}i"/>

I also configured the remoteipvalve with internalProxies but no luck. In the access log the ip 172.31.218.250 is the remote one who makes all the requests, confirmed with access log analysis, networking area and packet captures.

Where could be the error to filter this ip? Without this, we can't implement tls offloading because an user could access directly to the node instead of using F5 VIP.

 

Thanks!

Labels (3)
0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.