Restrict typesense to localhost only - typesense

I am trying to host typesense in a self-hosted virtual machine. I don't want to expose the typesense to the public. I want to restrict access from localhost
only. How can I restrict the typesense from accessing outside?

You want to set the --api-address and --peering-address to 127.0.0.1 to ensure that Typesense is only listening for inbound connections from localhost.
These two parameters are documented here: https://typesense.org/docs/0.23.1/api/server-configuration.html#using-command-line-arguments
--api-address
Address to which Typesense API service binds. Default: 0.0.0.0
--peering-address
Internal IP address to which Typesense peering service binds. If this parameter is not specified, Typesense will attempt to use the first available internal IP.

Related

How do I find the IP address to use in an HTTP request?

I want to make an http request via the fetch() method in React Native, and I need the IP address of the machine I'm sending the request to. I have access to the machine, and googled "what's my IP" on it. It said my public IP was 162.250.198.98, but when I googled it on another computer nearby, it gave the same address. Is this the right IP to use in a fetch request like this? If not, how do I find the right one to use?
If you have multiple machines connected to the internet via a NAT-enabled router, they will all share the same public IP address. You need to forward a specific port to the machine you want to connect to in the router's configuration e.g. to send your request on port 5000, add a rule to the router to forward port 5000 to your desired machine, then send the request to 162.250.198.98:5000
For your application to work you need a "server" with a public ip address. Later you assign a domain name to that server/ip address ex. api.domain.com
Since you don't have a server and you are using your computer to test your development, you can do this 2 options:
Use your computer IP address usually 192.168.x.x , 10.x.x.x or 172.16.x.x This will allow you to test it if your phone is connected wireless to the same network.
Since you are behind a NAT you can do a port forward to send the traffic to X port to your desired host(ip/port) behind the nat. Usually we create API's that run on port 80 or 443 do a port forward in your router to pass the traffic from this port to your computer ip/port.

Redis - Bind interfaces does not work (Connection refused)!

I'm trying to configure Redis (redis.conf, bind parameter) to accept access only from certain ips. In my case I want to enable access for the loopback network interface (127.0.0.1/::1) and for the ip 192.168.56.101 (192.168.56.102 is the ip of the Redis server). According to all the documentation that I have read so far the configuration below should work...
bind 127.0.0.1 ::1 192.168.56.101
... but that's not what happens.
I've tried several other configurations...
bind 127.0.0.1 192.168.56.101 ::1
bind 127.0.0.1 192.168.56.101
bind 192.168.56.101
bind 192.168.56.0
bind 192.168.0.0
... and nothing works. =|
The only configuration that worked was this...
bind 0.0.0.0
But, this configuration opens access to any ip!
NOTE: The protected-mode parameter (redis.conf) has a no value.
Any idea what might be happening?
REFERENCE:
Redis bind to more than one IP
https://redis.io/topics/security
http://download.redis.io/redis-stable/redis.conf
FURTHER QUESTION:
How could I enable access for an IP range (bind parameter)? Something like...
bind 192.168.56.0
... or...
bind 192.168.56.0/24
In these examples any machine with an ip starting at "192.168.56" will have access to the Redis server.
#Carl Dacosta
#Jacky
Thanks!
I think you misunderstand the bind configuration and IP-whitelist.
The bind configuration specifies the IP addresses that Redis listens to. If you bind Redis to loopback interface, only local clients can access Redis. If you want other hosts to access Redis, you have to bind Redis to all network interfaces (i.e. 0.0.0.0), or some specified network interfaces.
What's you need is IP-whitelist, which lists the IP addresses that can access Redis. AFAIK, so far, Redis DOES NOT support that (correct me, if I'm wrong).
There are other solutions to limit the access to Redis (all these solution needs Redis NOT to bind on loopback interface).
Limit access by authentication
You can use the requirepass configuration to set a password for Redis. Only clients with the password can access Redis.
Limit access by OS utility
On Linux, you can use iptables to control the network access. With this utility, you can only allow specified hosts to access the port that Redis bind to.

Bind ip wrong in redis config

log:Creating Server TCP listening socket (myip:port): bind: Cannot assign requested address
my redis.conf
bind 10.114.234.11
when i cofig like this
bind 127.0.0.1
it works well
You likely do not currently have any interfaces set up for the 10.x.x.x subnet. If you're on any flavor of Linux, ifconfig should be able to tell you which interfaces are currently set up. For example, I'm running Mint 17:
$ ifconfig | grep "inet addr"
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
So I (like you) would not be able to bind Redis (or most any other service requesting a TCP socket) to 10.x.x.x. If you are really trying to listen for connections on that subnet, you will need to change your network setup (how exactly that would be done depends largely on your operating system).
I also faced same issue while setting up redis for remote access. I was using google cloud platform and we created Google compute engine VM instance where we installed our Redis server. Redis doesn't ship with by default with security configured. You have to perform some steps to secure it. By updating IP address in redis.conf in bind will allow access only from that IP addresses. When we were doing it, we were getting same error.
To solve this issue we haven't added IP addresses in redis.conf file instead in Google cloud firewall rules when we add port open record in network -> IP ranges you can specify IP address which you want allow to access redis. In redis.conf file update from bind 127.0.0.1 to bind 0.0.0.0. So basically we will restrict it from Google cloud firewall rules dashboard.
Below are steps to add IP address restrictions:
Login to your google cloud console
Navigate to VPC Network -> Firewall Rules
Click on CREATE FIREWALL RULE or edit existing one if it's already there
In Source IP ranges add your IP address to allow access only - See below screenshot
Once you create this rule add this source tags under your VM instances network type and you are done.
I have faced the same issue when I changed the default redis.conf to custom Redis conf and after changing the bind as below then it started working, Please be aware that the below conf will open the Redis connection from all sources.
bind 127.0.0.1 -::1 to bind 0.0.0.0 -::1
At /etc/redis/redis.conf
Please change
bind 127.0.0.1 ::1
to
bind 0.0.0.0
then restart
/etc/init.d/redis-server restart
It's work to me

Localhost vs ip-address (e.g. 192.xxx.x.xxx)

When I host a page in /var/www/page, I can view it via:
localhost/page
192.xxx.x.xxx/page
Recently, I have started playing with websockets (using this repository).
When I activate the server, I can connect using localhost/page but not with 192.xxx.x.xxx/page (note that I can access the page but not connect to the server)
Can someone explain why?
"On most computer systems, localhost resolves to the address 127.0.0.1, which is the most-commonly used IPv4 loopback address..." (https://en.wikipedia.org/wiki/Localhost)
It's likely that the "localhost" host name is being resolved to the loopback interface IP address (127.0.0.1), as that is the standard on most machines.
If you want the server to respond to another IP address, you'll have to configure it.

WCF testing : need to use machine name instead of ip address on remote machine

I am using https for a web service and the certificate is a temporary one I created and then imported it to a remote machine. The binding of my WCF service uses the machine name not the ip address. I want to test the service on a remote machine but the only way the service is accessible is to use the ip address by changing the client address for the service. But then the service fails because the certificate expects the machine name and not the ip address. How can I use the machine name and not the ip address to access the remote server?
Create binding for ip address in the hosts file (C:\Windows\System32\drivers\etc) and then use this binding instead of ip.