I ran into a problem I'm not able to fix. I have a server with some applications (a ghost blog and gogs for example) that are listening on specific ports. I want apache to handle them via proxypass. So far so good, I can specify a subdomain and let the requests through to the applications. But all my applications are still reachable via the specific port they run on. I can't let apache listen to this ports because, well, the ports are in use by the applications.
I'm just wondering is there a way to let any apllications just listen on a port and be reachable from locahost (so that only apache can reach them with that port) or is there any other way to limit the access to my applications so that they are only reachable through apache? Is there a solution I can use for all applications or do I have to tweak every single app myself?
Googling it just didn't get me the rights answers (lots of port 80 to https and so on)
Thank you for every answer / tipp / nudge in the right direction you can give me.
Best regards.
Allright, the biggest problem is always in front of the computer :)
I never thought about iptables, I don't know why, because I'm quite familiar with it. For anyone else having the same stupidity problem I had:
Make a rule that allows localhost to access this port:
iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
Then just block every connection on that port with iptables
iptables -A INPUT -p tcp --dport 25 -j DROP
Don't forget to change 25 to your specific port.
Best regards.
Related
So I was wondering if it's possible to block direct port access via URL. I set up my own security system with a raspberry pi and made a web page to where I can view my livestream. It uses port 8081 for stream viewing, but if I type in www.mydomain.com:8081 it just bypasses my website and goes directly to the stream. I would like to disable that. (in the future I will require username and password to access the stream). Is this possible at all? Or even if I have to redirect it to my home page that will be fine also. I've tried searching and everything is showing up as virtualhost which I don't think is what I'm looking for.
I am using apache as my webserver and motion for my surveillance system. I also have port 80 and 8081 forwarded
If you want to block direct access, you just have to block it through the system ( and configure Apache/Nginx to do a proxypass to the port)
Example for you:
On the terminal run the following commands so you won't be able to directly access it (but your Apache/Nginx will be able to redirect you here)
#First make the port accessible locally
iptables -A INPUT -p tcp --dport 8081 -s 127.0.0.0/8 -j ACCEPT
#Now drop request from all other sources
iptables -A INPUT -p tcp --dport 8081 -j DROP
On the Config, for Nginx would be something like this:
location /security {
expires max;
proxy_pass http://127.0.0.1:8081;
auth_basic "Restricted"; # If you want Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # If you want Basic Auth
}
Now you just go to www.mydomain.com/security and will have login prompted (if you use the Basic Auth), otherwise you'll get the Livestream.
I have redirected all ipv4 dns request to my local dns server on port 60053 use iptables -J redirect.
But when I trying to do the same things for ipv6 dns request I failed, cause there isn’t a nat table for ipv6 on my router.
I have googled but didn’t found a solution, any suggestions would be appropriate. Thanks.
The nat table isn't there because the kernel module isn't loaded. You'll need to load it (and probably install it first). If you're on OpenWRT, the package you need is ip6tables-mod-nat.
I am trying to write an iptables rule which states that block a specific IP address from accessing the administrative console of Joomla, Wordpress and PhpMyAdmin.
For instance, in the following rule, I state that block all TCP accesses to port 8080 (Apache Tomcat).
sudo iptables -A INPUT -p tcp -s 172.24.21.133 --dport 8080 -j DROP
This will block access to the service running on port 8080.
But, now, if Joomla, Wordpress and PhpMyAdmin, all of them are running on port 80, is there any additional parameter that I can specify to block access only to one service among Joomla, Wordpress or PhpMyAdmin? Or I shall judiciously assume the fact that if I were to block access to one service, then I will have to compromise on the other two?
IPtables does not (to my knowledge) have any module for matching based on the URL inside an HTTP packet. Your better bet would be to use IP-based access control in your webserver configuration. If you are using Apache, you would use rules something like this in an .htaccess file in your Joomla/WordPress/PHPMyAdmin directory:
Order allow,deny
Deny from 172.24.21.133
Allow from all
This will prohibit HTTP access to anything in those directories from that specified IP address. You can also have multiple Deny lines to block multiple IP addresses.
In android, i have a proxy daemon which listens on a dedicated port and would like to relay the visit of some specific domains,but not for others, for example: this proxy will relay the request for www.yahoo.com, but does not affect www.google.com.
Is it possible to use iptables to implement this?
Normally it can't do that. Iptables routes/blocks traffic from/to IP's/Ports. Maybe a plugin can do that, but I am not firm with iptables plugins, and I don't know anything about iptables on android.
Apache can forward connections to, maybe that's the right choice for you.
I have a VPS server with a domain example.com, with apache2 listening port 80
Then, I have a web app in jetty server (running with mvn jetty:run), listening in port 8080
When I type example.com in a browser, I get a apache example page "it works!"
If I write example.com:8080 I get my webapp
Question is simple, how can I redirect for when I write example.com so that I get to my webapp?
I cant change port jetty to 80, its error.
command "sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080" does not anything effect
So, how can i make apache redirect 80 to 8080? in sites-enabled/default-000?
Please explain carefully, I'm a newbie with systems ;(
Thank you
EDIT
I solved it with this:
http://czetsuya-tech.blogspot.com.es/2012/07/how-to-port-forward-apaches-80-to.html#.VImt1XvyOPU
But last line:
RewriteRule ^/(.*) ......:8080/0,81 € [P,L]
Makes error at restart apache
I deleted it and works fine. Any problem with this? What is RewriteRule?
Using IPTABLES is one possible solution. I don't know much about IPTABLES - but there are a lot of tutorials out there, like this one: http://proghowto.com/iptables-redirect-port-80-to-port-8080
I don't know if that works if you have a running daemon (apache) on the destination port.
The other solution is to use a proxy module in apache to pass requests through to your webapp. On Linux only root users are allowed to use ports below 1000. On Windows you should be able to simply change the port in the jetty configuration.
There are two tutorials I often use, they apply to apache and tomcat but that makes no difference for the apache side:
https://confluence.atlassian.com/display/DOC/Using+Apache+with+virtual+hosts+and+mod_proxy
https://confluence.atlassian.com/display/STASH/Integrating+Stash+with+Apache+HTTP+Server
This is quite a common setup. Also there is almost no performance impact due to the proxying. Not that a user would notice anything.