Forum

Hi,

if both options HideProxy (set to the IP of the reverse proxy) and RequestLimitMask (deny "some public IPs X") are set, I see the real client-remote IPs X in my logfiles (which is as it should be), but RequestLimitMask seems not to be applied on these IPs X ... setting RequestLimitMask to the reverse proxy IP everything is fine. The reverse proxy handles multiple sites, so we are also filtering on the "backend webserver", since setting RequestLimitMask on the reverse proxy would be applied to all vhosts handled by the reverse proxy.

Cheers

The HideProxy option also makes sure the specified IP will not be blocked. So, there is no need to set RequestLimitMask.

Than if have a problem in understanding the following:
User (IP X) => ReverseProxy (hiawatha, IP Y) => Webserver (hiawatha, IP Z, HideProxy set to IP Y)

User accesses Website, some can see IP X in the logs on the Webserver, but the user gets blocked caused by SQLi. Usually you can set RequestLimitMask to ignore this feature (and some other variables) for certain IPs !? But according to your post, the block should not happen?

I don't understand what's going on. You're mixing up several things. You say the user gets blocked caused by SQLi. That's a good thing, not? But, where is the SQLi detected? At the webserver? You better move that check to the reverse proxy.

Hiawatha only checks for a ban right after a client connects. When it's the reverse proxy that connects, no dropping of the connection will be done when the HideProxy option is set. There is no point at dropping the connection from a valid reverse proxy. It's the reverse proxy that should have dropped the connection with the actual client.

Question: Why setting up a reverse proxy when both the reverse proxy and the webserver are both Hiawatha?

Sorry for the delay. The scenario for using a hiawatha reverse proxy and also a hiawatha webserver is simple....the reverse proxy is responsible for multiple sites which are running an different servers providing different services which have a hiawatha running. Since I like hiawatha, I have no need to use an oversized apache or other stuff for this purpose.

The SQLi is detected (it is a false positive) on the webserver and at this point the RequestLimitMask option set on the webserver is ignored, although hideProxy is set.
In my understanding hideProxy makes it possible to see the real IP of the client and I thought RequestLimitMask on the backend webserver will also be able to use this real IP instead of the IP of the reverse proxy only. I will set PreventSQLi to detection mode.