Skip to content

mod_ban whitelisting does not work for connections using mod_proxy_protocol #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jb-boin opened this issue Dec 27, 2024 · 1 comment
Open

mod_ban whitelisting does not work for connections using mod_proxy_protocol #32

jb-boin opened this issue Dec 27, 2024 · 1 comment
Assignees
@Castaglia

Comments

@jb-boin
Copy link

jb-boin commented Dec 27, 2024

I have connections coming on a backend ProFTPD from another ProFTPD using mod_proxy as a reverse proxy, using the proxy protocol V2.
Both are running the same ProFTPD version from Debian 12 packages (1.3.8+dfsg-4+deb12u4), the backend ony have a private IP address.

I'm using similar mod_ban rules on both servers and have whitelisted on both the IP of a client that should not be subjected to mod_ban rules.

The whitelist works on the front but does not seem to be applied on the backend.

Part of the configuration that is common on both and related to mod_proxy_protocol and mod_ban :

<Class expect-proxy-protocol>
	From 10.150.225.35
	From 10.150.225.62
</Class>
<IfModule mod_proxy_protocol.c>
    <IfClass expect-proxy-protocol>
		ProxyProtocolEngine on
		ProxyProtocolVersion haproxyV2
		AllowForeignAddress expect-proxy-protocol
	</IfClass>
</IfModule>
[...]
<IfModule mod_ban.c>
	<Class whitelist>
		From 185.200.5.161
		From 195.124.11.238
	</Class>
	<IfClass whitelist>
		BanEngine off
	</IfClass>
	<IfClass !whitelist>
		BanEngine on
		BanLog /var/log/proftpd/ban.log
		BanTable /dev/shm/proftpd-ban.tab
                BanOnEvent ClientConnectRate 20/00:01:00 00:01:30
	</IfClass>
</IfModule>

The LoadModule order is similar on both servers (but the front has mod_proxy_protocol commented and the back has mod_proxy commented) :

LoadModule mod_ban.c
LoadModule mod_proxy.c
LoadModule mod_proxy_protocol.c
LoadModule mod_ifsession.c

Then after 20 connections from 195.124.11.238 through the reverse proxy, the backend triggers the ban :

added ClientConnectRate-triggered autoban for host '195.124.11.238'

Meanwhile, the whitelist works as expected on the reverse proxy : the IP is getting banned only if i comment it from the whitelist Class.

I found a way to avoid the ban by replacing <IfClass whitelist> with <IfClass AND !whitelist !expect-proxy-protocol> but in that case, any connection coming through the reverse proxy will be whitelisted, not only the ones originated from whitelisted IPs.
@Castaglia
Copy link
Owner

Do you happen to have logs (debug, trace) from both the proxy deployment, and the backend server? In particular, I'm hoping to see the use of the PROXY protocol, for the specific client in question, in both sets of logs, to help see why it is not working as expected. Thanks!

@Castaglia Castaglia self-assigned this Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Castaglia Castaglia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Castaglia @jb-boin