apacheproxypasspingdom

Apache ProxyPass Allow only from Pingdom IPv4 addresses

I have an apache2 vHost configuration with ProxyPass / ProxyPassReverse and need to restrict the access to some static IP addresses and to all Pingdom IP addresses.

The list of Pingdom IP addresses is a file list with one IP address per line:

5.172.196.188
5.178.78.77
13.232.220.164
23.22.2.46
23.83.129.219
23.111.152.74
.
.
.

The full IP address list can be found at https://my.pingdom.com/probes/ipv4.

I have downloaded the Pingdom IP address list as I did not found any solution for reading the list directly from their web site.

Allow/Deny works as expected as long as I have not configured the Allow from env=PINGDOM. As soon as I add the before mentioned configuration line, all client IP addresses are able to reach the site.

<VirtualHost *:443>
        ServerAdmin contact@example.com
        ServerName site.example.com

        RewriteEngine on
        RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
        UnsetEnv PINGDOM
        RewriteCond ${allowed:%{REMOTE_ADDR}} ""
        RewriteRule ^ - [E=PINGDOM]

    <Proxy *>
        Order Deny,Allow
        Deny from all
        # Static IPs
        Allow from 1.2.3.10/32
        Allow from 1.2.3.20/32
        # Pingdom
        Allow from env=PINGDOM
    </Proxy>

        ProxyRequests           Off
        ProxyPreserveHost       On
        ProxyPass               / http://localhost:8080/example-site/
        ProxyPassReverse        / http://localhost:8080/example-site/

        SSLEngine ON
        SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>

Found a similar solution here: https://stackoverflow.com/a/53012839

But there, the IP address list file does have a 1 next to each IP address. The Pingdom list does not have this.

How does my rule need to look like to work as expected?

Solution

  • I have found a working solution.

    I have configured the following cronjob to get the current Pingdom probes IPv4 list every hour:

    PATH=/usr/local/bin:/usr/bin:/bin

0 * * * * www-data wget -t 1 -T 1 https://my.pingdom.com/probes/ipv4 -q -O - | sed -e 's/$/ 1/' > /var/www/pingdom_ip_addresses

    The Apache vHost configuration looks now like this:

    <VirtualHost *:443>
        ServerAdmin contact@example.com
        ServerName site.example.com

        RewriteEngine on
        UnsetEnv PINGDOM
        RewriteMap allowed "txt:/var/www/pingdom_ip_addresses"
        RewriteCond ${allowed:%{REMOTE_ADDR}} 1
        RewriteRule ^ - [E=PINGDOM]

        <Proxy *>
                Order Deny,Allow
                Deny from all
                # Static IPs
                Allow from 1.2.3.10/32
                Allow from 1.2.3.20/32
                # Pingdom
                Allow from env=PINGDOM
        </Proxy>

        ProxyRequests           Off
        ProxyPreserveHost       On
        ProxyPass               / http://localhost:8080/example-site/
        ProxyPassReverse        / http://localhost:8080/example-site/

        SSLEngine ON
        SSLCertificateFile /etc/letsencrypt/live/site.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/site.example.com/privkey.pem
</VirtualHost>