So I was wondering if it's possible to block direct port access via URL. I set up my own security system with a raspberry pi and made a web page to where I can view my livestream. It uses port 8081 for stream viewing, but if I type in www.mydomain.com:8081 it just bypasses my website and goes directly to the stream. I would like to disable that. (in the future I will require username and password to access the stream). Is this possible at all? Or even if I have to redirect it to my home page that will be fine also. I've tried searching and everything is showing up as virtualhost which I don't think is what I'm looking for.
I am using apache as my webserver and motion for my surveillance system. I also have port 80 and 8081 forwarded
If you want to block direct access, you just have to block it through the system ( and configure Apache/Nginx to do a proxypass to the port)
Example for you:
On the terminal run the following commands so you won't be able to directly access it (but your Apache/Nginx will be able to redirect you here)
#First make the port accessible locally
iptables -A INPUT -p tcp --dport 8081 -s 127.0.0.0/8 -j ACCEPT
#Now drop request from all other sources
iptables -A INPUT -p tcp --dport 8081 -j DROP
On the Config, for Nginx would be something like this:
location /security {
expires max;
proxy_pass http://127.0.0.1:8081;
auth_basic "Restricted"; # If you want Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # If you want Basic Auth
}
Now you just go to www.mydomain.com/security and will have login prompted (if you use the Basic Auth), otherwise you'll get the Livestream.
Related
I ran into a problem I'm not able to fix. I have a server with some applications (a ghost blog and gogs for example) that are listening on specific ports. I want apache to handle them via proxypass. So far so good, I can specify a subdomain and let the requests through to the applications. But all my applications are still reachable via the specific port they run on. I can't let apache listen to this ports because, well, the ports are in use by the applications.
I'm just wondering is there a way to let any apllications just listen on a port and be reachable from locahost (so that only apache can reach them with that port) or is there any other way to limit the access to my applications so that they are only reachable through apache? Is there a solution I can use for all applications or do I have to tweak every single app myself?
Googling it just didn't get me the rights answers (lots of port 80 to https and so on)
Thank you for every answer / tipp / nudge in the right direction you can give me.
Best regards.
Allright, the biggest problem is always in front of the computer :)
I never thought about iptables, I don't know why, because I'm quite familiar with it. For anyone else having the same stupidity problem I had:
Make a rule that allows localhost to access this port:
iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
Then just block every connection on that port with iptables
iptables -A INPUT -p tcp --dport 25 -j DROP
Don't forget to change 25 to your specific port.
Best regards.
I am trying to write an iptables rule which states that block a specific IP address from accessing the administrative console of Joomla, Wordpress and PhpMyAdmin.
For instance, in the following rule, I state that block all TCP accesses to port 8080 (Apache Tomcat).
sudo iptables -A INPUT -p tcp -s 172.24.21.133 --dport 8080 -j DROP
This will block access to the service running on port 8080.
But, now, if Joomla, Wordpress and PhpMyAdmin, all of them are running on port 80, is there any additional parameter that I can specify to block access only to one service among Joomla, Wordpress or PhpMyAdmin? Or I shall judiciously assume the fact that if I were to block access to one service, then I will have to compromise on the other two?
IPtables does not (to my knowledge) have any module for matching based on the URL inside an HTTP packet. Your better bet would be to use IP-based access control in your webserver configuration. If you are using Apache, you would use rules something like this in an .htaccess file in your Joomla/WordPress/PHPMyAdmin directory:
Order allow,deny
Deny from 172.24.21.133
Allow from all
This will prohibit HTTP access to anything in those directories from that specified IP address. You can also have multiple Deny lines to block multiple IP addresses.
I have a VPS server with a domain example.com, with apache2 listening port 80
Then, I have a web app in jetty server (running with mvn jetty:run), listening in port 8080
When I type example.com in a browser, I get a apache example page "it works!"
If I write example.com:8080 I get my webapp
Question is simple, how can I redirect for when I write example.com so that I get to my webapp?
I cant change port jetty to 80, its error.
command "sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080" does not anything effect
So, how can i make apache redirect 80 to 8080? in sites-enabled/default-000?
Please explain carefully, I'm a newbie with systems ;(
Thank you
EDIT
I solved it with this:
http://czetsuya-tech.blogspot.com.es/2012/07/how-to-port-forward-apaches-80-to.html#.VImt1XvyOPU
But last line:
RewriteRule ^/(.*) ......:8080/0,81 € [P,L]
Makes error at restart apache
I deleted it and works fine. Any problem with this? What is RewriteRule?
Using IPTABLES is one possible solution. I don't know much about IPTABLES - but there are a lot of tutorials out there, like this one: http://proghowto.com/iptables-redirect-port-80-to-port-8080
I don't know if that works if you have a running daemon (apache) on the destination port.
The other solution is to use a proxy module in apache to pass requests through to your webapp. On Linux only root users are allowed to use ports below 1000. On Windows you should be able to simply change the port in the jetty configuration.
There are two tutorials I often use, they apply to apache and tomcat but that makes no difference for the apache side:
https://confluence.atlassian.com/display/DOC/Using+Apache+with+virtual+hosts+and+mod_proxy
https://confluence.atlassian.com/display/STASH/Integrating+Stash+with+Apache+HTTP+Server
This is quite a common setup. Also there is almost no performance impact due to the proxying. Not that a user would notice anything.
I want to accomplish the following: I want to show a task bar on top of all websites I request from my notebook. On this bar I display various information.
I have a Raspberry Pi in my network which I configured as a gateway on my notebook. So all the traffic from my notebook passes the raspberry. On the raspberry I installed an Apache server with two VirtualHosts. One is a local webserver listening on port 80. For the other one, listening on port 8126, I have the following rules:
If no special parameter is set in the request, I redirect the request to a local page (with the original requested URI as a parameter). On this page I have an iframe in which I show the originally requested page, using the URI I read out from the parameters. To avoid having an endless loop I add the special parameter to the link in the iframe. This part works fine.
If the special parameter is not set (since the page should be display in the iframe), I redirect the request to the originally requested page using *mod_rewrite* again. This redirecting seems to cause the problems.
So here is some code of what I am doing:
I redirect all traffic on port 80 to port 8126 using iptables. 192.168.1.1 is the IP address of my raspberry which I use since I can not redirect to the loopback interface in the PREROUTING phase. I do this with the following iptables-rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp 80 -j DNAT 192.168.1.1:8126
I boiled down my problem to the following VirtualHost configuration for the Apache server, where I simply redirect all requests to an external website:
<VirtualHost *:8126>
RewriteEngine On
RewriteRule ^/?(.*) http://example.com/ [P]
ProxyPassReverse / http://example.com/
</VirtualHost>
On my notebook I set the gateway to 192.168.1.1, open my Chrome browser and send an HTTP request to e.g. test.com. I would expect to get redirected to example.com. But I receive an error message saying
ERR_TOO_MANY_REDIRECTS
Does anybody have an idea how I could solve this? I am free for completely different approaches solving my problem!
Your iptables rule creates a loop so requests FROM the proxy are sent again to himself.
You should avoid that by excluding Proxy source IP from rule:
iptables -t nat -A PREROUTING -i eth0 -s ! <Your proxy IP> -p tcp 80 -j DNAT 192.168.1.1:8126
My aim is to run Node.js on port 80. This is because I am finding node.js is being blocked from certain networks which do not allow traffic from any other port.
It appears that the best way to do this is by proxying Apache through Node.js. I have tried using node-http-proxy to do this but I have not had any luck.
The code I am using is here:
var util = require('util'),
http = require('http'),
httpProxy = require('http-proxy');
httpProxy.createServer(9000, 'localhost').listen(80);
http.createServer(function (req, res) {
res.writeHead(200, { 'Content-Type': 'text/plain' });
res.write('request successfully proxied to: ' + req.url + '\n' + JSON.stringify(req.headers, true, 2));
res.end();
}).listen(9000);
But I keep getting the error "Address in use" for port 80. I must be doing something wrong.
How do I proxy Apache through node.js using node-http-proxy? Will this enable me to run node.js on port 80? And is node-http-proxy the best way to achieve this?
Thank you.
run your app on a high port 8080 or whatev then
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
If you are not using ngnix or apache
The simplest solution: safely configure your node app to run on port 80.
sudo apt-get install libcap2-bin
sudo setcap cap_net_bind_service=+ep /path/to/node
Ta da! You're done.
Why do I like it?
You don't have to use apache or nginx
You don't have to run your application as root
You won't have to forward ports (and handle that each time your machine boots)
Reference Link: https://www.digitalocean.com/community/tutorials/how-to-use-pm2-to-setup-a-node-js-production-environment-on-an-ubuntu-vps (A great article on how to set up your node app on cloud hosting).
What you need to do is have 2 ip's for the server you are running. Apache has 1 ip bound to port 80 and then node.js has the other ip bound to port 80.
Using node and its listen directive has 2 values eg. .listen(80, NODEJS_IP or DNS NAME);
Some other advice.
I would not use apache with nodejs as it's not evented. So this really isn't recommended. I would actually look into using NGINX as its a much better pairing with Node.
It is currently not recommended to run node on port 80, as that requires running node as root.
How attached are you to apache? Proxying node through nginx is a tried and true solution, with an nginx-config such as this:
upstream node_cluster {
ip_hash;
server 127.0.0.1:8000;
server 127.0.0.1:8001;
server 127.0.0.1:8002;
}
server {
listen 0.0.0.0:80;
server_name foo;
access_log /var/log/nginx/foo.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://node_cluster/;
proxy_redirect off;
}
}
Nginx documentation:
http://wiki.nginx.org/HttpProxyModule
http://wiki.nginx.org/HttpUpstreamModule
Your code looks like example code in which you're creating a Node-based proxy from port 80 to port 9000, and then creating a Node-based HTTP server on port 9000. (i.e. Node:80 -> Node:9000)
You are getting "address in use" when you launch Node because Apache is already using port 80. If you want to use Apache to proxy, you must use Node on a different port (say 9000) and have Apache listening on port 80 and forwarding the requests to Node on port 9000. (i.e. Apache:80 -> Node:9000)
It looks like the library you're using is for doing the opposite: using Node as the proxy and forwarding requests to Apache. In this case you must configure Apache to run on another port than port 80. (i.e. Node:80 -> Apache:9000).
Are you wanting to do Node:80 -> Apache:9000 or Apache:9000 -> Node:80, in the end?
EDIT after comments:
If you want to do Apache:80 -> Node:9000, you can use mod_proxy on Apache and use the ProxyPass/ProxyPassReverse directives, something like
ProxyPass /nodeurls/ http://localhost:9000/
ProxyPassReverse /nodeurls/ http://localhost:9000/
where nodeurls is the family of URLs you wish for Apache to forward to Node.
If you are a non-root user, you cannot run or bind with ports lower than 1024 (in Unix system). To allow non-root user can run node on port lower than 1024 use this command.
$ sudo setcap 'cap_net_bind_service=+ep' $(which node)
I was having the same issue, here is how I resolved it using node-http-proxy to listen on port 80, then forward to either express or apache.
https://stackoverflow.com/a/9645091/500270
I had the same issue, I just changed my port to 8080 and it worked.
httpsServer.listen(8080, () =>
console.log(chalk.rgb(208, 60, 240)(`Server listening on port: 8080`))
);
if you just in develop environment mode
you can su root, then
node index.js or ./node_modules/coffee-script/bin/coffee index.coffee