Hello
I'm trying to protect a webserver from DDoS attacks. The plan for this is
to not publish its IP address anywhere public. DNS records point to a CDN
service like CloudFlare. The CDN will sync to the webserver via a random
entry in the zone, making it "undiscoverable".
The issue I'm facing is that a malicious user would still be able to find
the real server address via Apache's SERVER_ADDR environment variable, eg.
from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or
unset it, but apparently this is not possible. I believe writing a module
to do just that won't work either, since as I understand it, the variable
is set after all modules are processed.
Would it be a good idea to allow SERVER_ADDR to optionally not be set? I
could work on a patch to do this if the idea is considered valid.
Thanks in advance,
Andre
I'm trying to protect a webserver from DDoS attacks. The plan for this is
to not publish its IP address anywhere public. DNS records point to a CDN
service like CloudFlare. The CDN will sync to the webserver via a random
entry in the zone, making it "undiscoverable".
The issue I'm facing is that a malicious user would still be able to find
the real server address via Apache's SERVER_ADDR environment variable, eg.
from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or
unset it, but apparently this is not possible. I believe writing a module
to do just that won't work either, since as I understand it, the variable
is set after all modules are processed.
Would it be a good idea to allow SERVER_ADDR to optionally not be set? I
could work on a patch to do this if the idea is considered valid.
Thanks in advance,
Andre