Apache server as a proxy using iptables - apache

I want to accomplish the following: I want to show a task bar on top of all websites I request from my notebook. On this bar I display various information.
I have a Raspberry Pi in my network which I configured as a gateway on my notebook. So all the traffic from my notebook passes the raspberry. On the raspberry I installed an Apache server with two VirtualHosts. One is a local webserver listening on port 80. For the other one, listening on port 8126, I have the following rules:
If no special parameter is set in the request, I redirect the request to a local page (with the original requested URI as a parameter). On this page I have an iframe in which I show the originally requested page, using the URI I read out from the parameters. To avoid having an endless loop I add the special parameter to the link in the iframe. This part works fine.
If the special parameter is not set (since the page should be display in the iframe), I redirect the request to the originally requested page using *mod_rewrite* again. This redirecting seems to cause the problems.
So here is some code of what I am doing:
I redirect all traffic on port 80 to port 8126 using iptables. 192.168.1.1 is the IP address of my raspberry which I use since I can not redirect to the loopback interface in the PREROUTING phase. I do this with the following iptables-rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp 80 -j DNAT 192.168.1.1:8126
I boiled down my problem to the following VirtualHost configuration for the Apache server, where I simply redirect all requests to an external website:
<VirtualHost *:8126>
RewriteEngine On
RewriteRule ^/?(.*) http://example.com/ [P]
ProxyPassReverse / http://example.com/
</VirtualHost>
On my notebook I set the gateway to 192.168.1.1, open my Chrome browser and send an HTTP request to e.g. test.com. I would expect to get redirected to example.com. But I receive an error message saying
ERR_TOO_MANY_REDIRECTS
Does anybody have an idea how I could solve this? I am free for completely different approaches solving my problem!

Your iptables rule creates a loop so requests FROM the proxy are sent again to himself.
You should avoid that by excluding Proxy source IP from rule:
iptables -t nat -A PREROUTING -i eth0 -s ! <Your proxy IP> -p tcp 80 -j DNAT 192.168.1.1:8126

Related

How to disable direct port access through URL

So I was wondering if it's possible to block direct port access via URL. I set up my own security system with a raspberry pi and made a web page to where I can view my livestream. It uses port 8081 for stream viewing, but if I type in www.mydomain.com:8081 it just bypasses my website and goes directly to the stream. I would like to disable that. (in the future I will require username and password to access the stream). Is this possible at all? Or even if I have to redirect it to my home page that will be fine also. I've tried searching and everything is showing up as virtualhost which I don't think is what I'm looking for.
I am using apache as my webserver and motion for my surveillance system. I also have port 80 and 8081 forwarded
If you want to block direct access, you just have to block it through the system ( and configure Apache/Nginx to do a proxypass to the port)
Example for you:
On the terminal run the following commands so you won't be able to directly access it (but your Apache/Nginx will be able to redirect you here)
#First make the port accessible locally
iptables -A INPUT -p tcp --dport 8081 -s 127.0.0.0/8 -j ACCEPT
#Now drop request from all other sources
iptables -A INPUT -p tcp --dport 8081 -j DROP
On the Config, for Nginx would be something like this:
location /security {
expires max;
proxy_pass http://127.0.0.1:8081;
auth_basic "Restricted"; # If you want Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # If you want Basic Auth
}
Now you just go to www.mydomain.com/security and will have login prompted (if you use the Basic Auth), otherwise you'll get the Livestream.

How to redirect all ipv6 dns request to local dnsmasq when there isn’t a nat table on my router?

I have redirected all ipv4 dns request to my local dns server on port 60053 use iptables -J redirect.
But when I trying to do the same things for ipv6 dns request I failed, cause there isn’t a nat table for ipv6 on my router.
I have googled but didn’t found a solution, any suggestions would be appropriate. Thanks.
The nat table isn't there because the kernel module isn't loaded. You'll need to load it (and probably install it first). If you're on OpenWRT, the package you need is ip6tables-mod-nat.

block outside access to port so only apache proxy pass serves sites

I ran into a problem I'm not able to fix. I have a server with some applications (a ghost blog and gogs for example) that are listening on specific ports. I want apache to handle them via proxypass. So far so good, I can specify a subdomain and let the requests through to the applications. But all my applications are still reachable via the specific port they run on. I can't let apache listen to this ports because, well, the ports are in use by the applications.
I'm just wondering is there a way to let any apllications just listen on a port and be reachable from locahost (so that only apache can reach them with that port) or is there any other way to limit the access to my applications so that they are only reachable through apache? Is there a solution I can use for all applications or do I have to tweak every single app myself?
Googling it just didn't get me the rights answers (lots of port 80 to https and so on)
Thank you for every answer / tipp / nudge in the right direction you can give me.
Best regards.
Allright, the biggest problem is always in front of the computer :)
I never thought about iptables, I don't know why, because I'm quite familiar with it. For anyone else having the same stupidity problem I had:
Make a rule that allows localhost to access this port:
iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
Then just block every connection on that port with iptables
iptables -A INPUT -p tcp --dport 25 -j DROP
Don't forget to change 25 to your specific port.
Best regards.

Blocking access to Joomla, Wordpress, PhpMyAdmin Administrator Pages through iptables

I am trying to write an iptables rule which states that block a specific IP address from accessing the administrative console of Joomla, Wordpress and PhpMyAdmin.
For instance, in the following rule, I state that block all TCP accesses to port 8080 (Apache Tomcat).
sudo iptables -A INPUT -p tcp -s 172.24.21.133 --dport 8080 -j DROP
This will block access to the service running on port 8080.
But, now, if Joomla, Wordpress and PhpMyAdmin, all of them are running on port 80, is there any additional parameter that I can specify to block access only to one service among Joomla, Wordpress or PhpMyAdmin? Or I shall judiciously assume the fact that if I were to block access to one service, then I will have to compromise on the other two?
IPtables does not (to my knowledge) have any module for matching based on the URL inside an HTTP packet. Your better bet would be to use IP-based access control in your webserver configuration. If you are using Apache, you would use rules something like this in an .htaccess file in your Joomla/WordPress/PHPMyAdmin directory:
Order allow,deny
Deny from 172.24.21.133
Allow from all
This will prohibit HTTP access to anything in those directories from that specified IP address. You can also have multiple Deny lines to block multiple IP addresses.

how to redirect apache port 80 to jetty port 8080?

I have a VPS server with a domain example.com, with apache2 listening port 80
Then, I have a web app in jetty server (running with mvn jetty:run), listening in port 8080
When I type example.com in a browser, I get a apache example page "it works!"
If I write example.com:8080 I get my webapp
Question is simple, how can I redirect for when I write example.com so that I get to my webapp?
I cant change port jetty to 80, its error.
command "sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080" does not anything effect
So, how can i make apache redirect 80 to 8080? in sites-enabled/default-000?
Please explain carefully, I'm a newbie with systems ;(
Thank you
EDIT
I solved it with this:
http://czetsuya-tech.blogspot.com.es/2012/07/how-to-port-forward-apaches-80-to.html#.VImt1XvyOPU
But last line:
RewriteRule ^/(.*) ......:8080/0,81 € [P,L]
Makes error at restart apache
I deleted it and works fine. Any problem with this? What is RewriteRule?
Using IPTABLES is one possible solution. I don't know much about IPTABLES - but there are a lot of tutorials out there, like this one: http://proghowto.com/iptables-redirect-port-80-to-port-8080
I don't know if that works if you have a running daemon (apache) on the destination port.
The other solution is to use a proxy module in apache to pass requests through to your webapp. On Linux only root users are allowed to use ports below 1000. On Windows you should be able to simply change the port in the jetty configuration.
There are two tutorials I often use, they apply to apache and tomcat but that makes no difference for the apache side:
https://confluence.atlassian.com/display/DOC/Using+Apache+with+virtual+hosts+and+mod_proxy
https://confluence.atlassian.com/display/STASH/Integrating+Stash+with+Apache+HTTP+Server
This is quite a common setup. Also there is almost no performance impact due to the proxying. Not that a user would notice anything.