Share this post
FaceBook  Twitter  

ModSecurity is an application level firewall which protects websites against attackers by inspecting the HTTP requests and blocking requests matching 'suspicious' patterns. Occasionally, you'll want to 'whitelist' an IP address so that requests originating from this IP are not blocked by ModSecurity. For example, you would not want your monitoring server to be banned by ModSecurity because it is suspected of performing a DDOS attack.

This is trivial to implement using the following rule:

 SecRule REMOTE_ADDR "^111.222.333.444" phase:1,nolog,allow,ctl:ruleEngine=off

Behind a load balancer, REMOTE_ADDR cannot be used, because it contains the load balancer's IP address. The usual solution, which is a standard approach, is to use the 'X-Forwarded-For' request header, which contains the chain of IP addresses in the request. ModSecurity can access the X-Forwarded-For header like so:

SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 111.222.333.444" phase:1,log,allow,ctl:ruleEngine=off,id:1

The rule above disables ModSecurity scanning for the IP address 111.222.333.444.