Author: D.-6 (17 Jul 15 7:32pm)
Like many server admins who suffer from congestion, we decided to use a two-pronged approach. Http:bl to block spurious requests and spammers, and a caching proxy in front of our main services to speed up access times. Is there a way of running http:bl through something other than Apache or the web application itself? Because the ideal scenario here is that the caching proxy performs all of the operations related to access control, including querying project honeypot. But mod-security, which at one point was capable of using honeypot as a blacklist, isn't stable when run with nginx and keeps crashing. So afaik we're SOL for running http:bl on the caching server. We were running it on the main services instance using a drupal plugin, but then it blocked our proxy server. So that was awkward. I know X-FORWARDED-FOR can't be trusted, but surely it would be enough to give administrators an option to allow a specific IP and when connections originate from that IP, then and only then to trust the X-FORWARDED-FOR header?
So we have had to disable http:bl for now, unfortunately.