Disable browser access to server IP address - apache

I have a server that I can access in browser through the domain name (secured with SSL) and the server IP address.
I would like to disable access with the server ip address:
http://123.45.678.901/ and https://123.45.678.901/
How can I do that ?

OK found the complete solution here via htaccess file and 2 rules :
RULE 1: Redirect all requests to secure HTTPS access (including ip request http://123.45.678.901 )
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://domain.com/$1 [L,R=301,QSA]
RULE 2: If the domain or subdomain is not exactly domain.com redirect to bare domain (mandatory to catch https://123.45.678.901/any-page for example)
Using redirect all wildcard subdomains to root domain
RewriteCond %{HTTP_HOST} !^domain\.com$ [NC]
RewriteRule (.*) https://domain.com/$1 [L,R=302,QSA]
All tests results here :
http://123.45.678.901/ > now redirect to https://domain.com/
https://123.45.678.901/ > now redirect to https://domain.com/
http://123.45.678.901/any-page > 404 > https://domain.com/index.php?p=any-page
https://123.45.678.901/any-page > 404 > https://domain.com/index.php?p=any-page

What are you trying to accomplish by blocking the IP access to the website? It is really the same thing. We only use nice looking domain names or host names for the benefit of humans. Whether you type in the domain name or IP is the exact same thing as someone can simply ping your hostname and get the IP address anyway.
If you want to enforce SSL simply do it for the host so that all access attempts require SSL. You can use apache mod_rewrite to accomplish this: https://www.sslshopper.com/apache-redirect-http-to-https.html
What you're asking for may not be possible, unless I'm not understanding the problem correctly. It's like saying I want someone to be able to send mail to my house only using my address but not my postal code, when the postal code effectively gives you the address.
Anyway hope this helped.

If you want to make it possible for users to access your site (server) through the domain name while accessing the corresponding IP address is disabled in order to disable the access to phpmyadmin through the IP address, it is impossible and not a good way to achieve what you want.
Roughly speaking, domain name is the human readable and memorable form of IP address, and when we type the domain name (e.g., http://google.com) on the browser, the domain name is converted to corresponding IP address by the DNS (domain name service) server, and the browser tries to connect to the IP address given by DNS. Eventually, trying to connect via domain name and IP address internally works the same way.
To remove the access of phpmyadmin from the other users and attackers, configuring the access control is right way. Try:
Use secure passwords for mysql users
Limit the permission of the mysql users according to the purpose of the mysql users. (Using the root user for all purpose and application is not a good way.)
If you correctly configure the above points, attackers can't access your database even if they know the URL of phpmyadmin.

To make sure that a redirect takes place only when someone is browsing with the ip of the server, I did the following (Ubuntu 20.04 - commands and paths may differ, if you use another OS):
Create a noip.conf file in /etc/apache/conf-available/ folder with this content:
<If "%{HTTP_HOST} =~ /12\.34\.56\.78/">
RewriteEngine on
RewriteRule ^ http://my.domain.com [L,R=301]
</If>
Enable the configuration and restart apache:
a2enconf noip
apachectl restart
The above will not work if someone types in the ip using https. They will get a "Your connection is not private" message. Then if they click "Proceed to 12.34.56.78", they will get the first matching ssl enabled virtual host. Make sure that this host is the one you want it to be.
You should also check if other applications on the server are listening on alternative ports, since someone could type in 12.34.56.78:999.

Related

Will a htaccess rewrite rule to force www work without an A record in place for the apex/naked domain?

I'm working on a site that only works if you type in www. Only the www subdomain has an A record. The bare/naked domain is unable to be given an A record. The naked domain can also not be given a DNS Alias. This means the site without "www" shows an error in your browser.
I'm trying to think through any creative solution that may solve this usability issue.
Would an htaccess rewrite rule such as:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
work in this scenario to force users to the www working site and to keep users from seeing an error in their browser?
I'm thinking it likely does NOT work because the htaccess file would only be accessed when users already typed in www (which has the A record). Is that thinking correct?
(Additional examples of htaccess code are in this thread) Redirect non-www to www in .htaccess
If this isn't a valid option, any other creative solutions that might work?
No, .htaccess rules won't work if the DNS isn't pointing to them. The only way to issue a redirect is by pointing the DNS to a web server that redirects.
CNAME records never work for the domain apex, so they are never an option. The only DNS records that will resolve a website for the domain apex are A records. I suspect that you are using a web host that doesn't give you an IP address to put into the A record, only a name. They probably warn that the IP address could change without warning. There are other possible solutions in this type of situation:
Let your web host be your DNS host
Many web hosts will offer to host your DNS for you. They can then keep your A and CNAME records up to date for you. They would be able to use A records at the APEX and change them as needed. If your web host offers this service, you would change your NS records at your DNS registrar to point to values given to you by your web host. Usually something like ns1.example.com and ns2.example.com.
Use ANAME or ALIAS records
Many DNS hosts now allow your to enter a name but serve it as an A record. The DNS host periodically (like every few minutes) looks up the IP address for the name and serves an A record with the current value. These records have different names at different DNS hosts, but they are usually called ANAME or ALIAS records. If your current DNS host doesn't offer this service, you could switch to a more capable DNS host that does so.
Use a third party redirect service
If your existing web host won't give you an IP address to use in an A record, you can use an alternate web host that will do so for the redirects. Most web hosting will give you an IP address to put into DNS records that won't change without notice. It is possible to find an alternate host for your domain apex and use that hosting only to do the redirect to www. Your www CNAME record would continue to point to your existing host.

How to restrict access to a specific rewrite by IP

I have a website that I'm dynamically creating URLs for with htaccess rewrites. What I'm looking to do is restrict a URL based on the IP address of those accessing it.
For example, I'm trying to restrict access to any rewrite in the XYZ "sub-folder"
These should all be restricted to a specific IP
www.domain.com/XZY
www.domain.com/XZY/anotherfile.html
www.domain.com/XZY/anotherfolder
But no restriction to any other rewrite
These should all be accessible
www.domain.com/ABC
www.domain.com/greatfile.html
www.domain.com/ABC/greatfolder
The XYZ folder does not actually exist so placing an htaccess file in there isn't an option for me. I appreciate any assistance you can provide.
Using mod_rewrite, respond with a 403 Forbidden for any requested URL that starts /XZY and is not from the stated IP address:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !=203.0.113.111
RewriteRule ^XZY($|/) - [F]
Any blocking directive like this need to go near the top of the .htaccess file, before any existing rewrites.
NB: This assumes the client is connecting directly to your application server. However, if you are using a CDN (eg. Cloudflare), load balancer or front-end caching proxy then you may need to check another element of the request since the client is not connecting directly with your server (the proxy is).

Allow access from domain name only with Apache

I have a bunch of scripts on a server running Ubuntu 12.04 and Apache. Currently, I can access the site both ways: via the IP and the domain name, for example: http://example.com and http://1.1.1.1 where example.com has an A record pointing to 1.1.1.1. My question is, is there a way to throw 403 or similar error when the site is accessed by the server IP and not by its domain name?
All I could find about my question is a link to the Apache HOW-TOs, however, there is no information on how to achieve this whatsoever. My assumption is that I have to edit the configuration file of the default vhost, but I don't know what exactly to change. Or perhaps there's a module for it?
Put this rule in your vhost configuration
RewriteEngine on
RewriteCond %{HTTP_HOST} ^1\.1\.1\.1$
RewriteRule ^ - [F]

From my XYZ Server's IP to my Yahoo Domain - htaccess settings

Hello there and I apologize if this has been posted already.
I would need some help, I am a novice as you can see.
Here is the Issue:
The web site has been finished and needs now to go "live".
My current website is on a xyz cloud server with the IP 65.61.xxx.xx, which when entered in the browser shows my site correctly etc.
Now I need to change the IP address to the domain name which is hosted via Yahoo.
As been instructed, I would need to create a re-write rule in the htaccess (in the main root folder?), is the below correct and can this be applied to an IP address as the HTTP_host too?
Besides the above change do I need to change any other setting on my server or anywhere else?
RewriteEngine on
RewriteCond %{HTTP_HOST} 65.61.xxx.xx.com [NC]
RewriteRule ^(.*)$ http://www.newyahoodomain.com/$1 [L,R=301]
If I only enter the newyahoodomain.com/ in the web browser it shows "It works! This is the default web page for this server. The web server software is running but no content has been added, yet."
Sorry for this question, and I appreciate your reply!
Thanks, Steve
If you see "It works!", but not the site, then it is possible that your host definition in apache missing ServerName and ServerAlias directives. They tell to Apache to use this configuration when the request of specified domain name comes to your server. E.G:
ServerName http://www.newyahoodomain.com/
Check out this link: http://httpd.apache.org/docs/2.2/mod/core.html#servername

Url rewriting: url pointing to a different server than the one specified in the RECORD A DNS

I have the domain "www.first.com" which points x.x.x.x
I have the domain "www.second.com" which points to y.y.y.y
I want the to type in the browser "www.first.com" and get to "www.second.com" (on the y.y.y.y) but the url showed in the browser has to be the same!
If I put a .htaccess inside the x.x.x.x server with:
RewriteEngine on
RewriteRule index.php http://www.second.com
I get to second.com, but the url is changed to http://www.second.com. Is there anyway to achieve what I want to do?
1 - It's because I need to host a website on my server, but the domain doesn't point towards it and I MUST NOT CHANGE the dns.
2 - I can change some of the contents in the x.x.x.x server, but I can't neither change DNS or put the website directory inside it.
I was considering put a simple index.php in the x.x.x.x server, which make a eval(file_get_contents("www.second.com")): I know it's weird, but I can't get closer than that to the solution.
Apache mod_proxy might be the best way to achieve that.