use mod-authn-otp with aws ALB

Question

use mod-authn-otp with aws ALB

cleonte opened this issue 6 years ago · 8 comments

Hi,

i would like to use mod otp with AWS ALB (aplication load balancer), but i can't since i see in the logs the ip of the load balacner instead of the ip of the client, any workaround for this?

Cheers

Answer 1 · 2018-12-04T14:55:50.000Z

This is a very good question, since it also applies to reverse proxy setups.
I am also interested in the answer. ;-)

Answer 2 · 2018-12-04T15:27:50.000Z

I'm not sure I'm understanding the problem... you say:

i see in the logs the ip of the load balacner instead of the ip of the client

How does this prevent you from using the module?

Answer 3 · 2018-12-04T17:27:49.000Z

the thing is, my config works like this

for people with some ip we asked them for otp and for people with trusted ip we don't ask for OTP,

and since in apache we will see only load balancer ip we can't distinguish between real people and the load balancer

Cheers

Answer 4 · 2018-12-04T17:55:51.000Z

@cleonte in this case you have to add X-Forward* headers on the load balancer...

Answer 5 · 2018-12-04T18:07:43.000Z

and i ca use it on the otp module?

Answer 6 · 2018-12-04T18:17:30.000Z

The X-Forwarded-For header is likely already being added by the load balancer. Check your AWS docs.

@cleonte I'm pretty sure you can configure Apache to only apply OTP authentication if the X-Forwarded-For header doesn't match some regular expression.

Answer 7 · 2018-12-04T18:36:29.000Z

thank you for your help, will try to see if i can use that

Answer 8 · 2018-12-04T18:37:16.000Z

@cleonte also have a look at https://blog.trikoder.net/auth-behind-reverse-proxy-3b3f81897cb7