Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I think this should be standard for everybody to do anyway, but maybe I'm missing something.
I want to block access to my site through every port/method/protocol except a select few methods:
This includes blocking use of the IP address rather than the domain name. So visits to 123.55.123.66 and ssh://123.55.123.66 will always fail.
Also, blocking all FTP access
These only will be allowed:
(1) http://domain.com
(2) https://domain.com
(3) ssh://ssh-access.domain.com
So SSH is only available at this subdomain, so people can't hit SSH from the IP or the same domain that is publicly available.
Also, http://ssh-access.domain.com would fail.
No access to FTP, Telnet anything.
Is this a good idea?
Because I can't even think of all the different ports/protcols available, I think it's best to block all except the above listed (rather than block all FTP, SSH etc.).
Also, if anyone has any pointers as to how I would code this, that would be great. I'm guessing it's best to do it in Apache (or Ubuntu).
You cannot "visit" ssh://123.55.123.66 in the proper sense (i.e. with a web browser) and, although some file browsers offer this extension, Apache is not involved in the connection (instead, the SSH daemon is). Moreover, SSH daemon has no notion of "(sub)domain".
That said, you can configure SSH daemon to listen only on the "remote access" IP address (bind it to that address).
For the website, you can adapt the appropriate Mod-Security rules to deny access to people/bots trying to access the website by IP address, rather than by web address.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I have a subdomain sub.domain.co.uk that points to my server ip address lets say 192.0.2.1 currently this just uses http.
I have a need to make this use https/ssl so I have purchased my SSL but my server host have advised I need to point my url sub.domain.co.uk to a different IP in order for the SSL to work so I can hook it up in IIS.
So now I need to point sub.domain.co.uk to 192.0.2.2
So the only way forward I can see is that I go into my DNS settings in 123 reg and change my sub.domain.co.uk A record from 192.0.2.1 to 192.0.2.2
And incurr the downtime/propagation that comes with that.
Am I missing something, is there a better way to do this without incurring downtime?
For example, could I just add a second A NAME, for the same sub domain, e.g...
sub 192.0.2.1
sub 192.0.2.2
and in IIS just point my SSL to the second one, or would that confuse browsers?
Any help appreciated in advance
I believe I have solved this myself after a little research.
So I have two websites in IIS with an SSL that are using * as the ip address, meaning use any unassigned ip's.
So when I tried to add the SSL to the second website it complains saying that cause issues with the bindings on the first.
So if I just tick the little box that says 'Require Server Name Indication' on my second IIS bindings (when applying the SSL) it works perfectly.
Great article on Server Name Indication below (SNI)
https://www.cloudflare.com/learning/ssl/what-is-sni/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Using OpenVPN, I can enable 2-way authentication with certificates, private keys and a CA-certificate.
In my understanding, this only provides authentication (the client is, who he says he is) but not authorization (access control). OpenVPN just assumes that a valid authentication is also an access authorization.
If I now run a second VPN server, using the same CA, will the clients of the first also have access to the second VPN?
If I want to avoid this - clients with keys/certs for the first VPN server should not be able to access the second VPN server (and reverse) - what are my options?
use a different CA for each server (ugly in my opinion)
use an access control list based on the common name (CN) (not so practical)
use firewall / iptables (not so practical)
Am I missing a way to somehow limit access of a certain client to a certain server?
Citing Jan Just Keijser from the OpenVPN forum
openvpn provides authentication, not access control (authorization), nor should it, in my opinion. The options you mention are the only options you have, unless you also want to throw in username+password control.
you could use a sub-CA (intermediary CA) ; each client cert would be signed by a specific sub-CA ; the clients need only the "root" CA to connect to a server, but the servers can allow access based on the sub-CA used for a client.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I've just (about 1 hour ago) associated an Elastic IP to my instance at Amazon EC2. If I SSH into my instance and type lynx localhost I can see that apache is responsive because I see the It works page.
However, If I browse into my instance (both via the IP itself and via the public DNS Amazon has created for me), I get Oops! Google Chrome could not connect to.. bla bla...
Should I wait some more time (in case it's due to some DNS thing) or does this indicate something is wrong?
Thanks in advance
EDIT: When I ssh into my instance, I use the full IP address and it works... (the Elastic IP I mean).
You must config the firewall to open the HTTP port.
To be more specific, for AWS this is done via Security Groups. You should create one with the ports you need opened. In most cases that's the por 80 for TCP.
You can see how to achieve this on the documentation http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
First identify the security group of the Ec2 instance.
Next click on the security groups link in the bottom left nav.
Select the security group under which this EC2 instance lies,
and add Inbound rules by specifying the port or a custom port range.
For those of you using Centos (and perhaps other linux distibutions), you need to make sure that its FW (iptables) allows for port 80 or any other port you want.
See here on how to completely disable it (for testing purposes only!).
And here for specific rules
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am running Apache/php on my localhost and would like to be able to make this publicly accessible from the internet.
I think this is achieved by port forwarding? Can someone point me in the right direction?
Well sir you should try ngrok it is free and works with everything that I throw at him (node servers, xampp etc.)
It depends on the connection you have.
If your machine has a public IP address, it's on the Internet already. Then all you need is to allow connections to port 80, both on the local firewall and the home/corporate firewall.
If your machine is behind a set-top-box, or inside a corporate network, chances are that you're not on the Internet. In some instances, a router does NAT (Network Address Translation) between a local (non-routable) network and the Internet. In this particular case, you need to set up port forwarding on the set-top-box or router.
You might want to check out Pagekite - it's an open-source software that allows you to expose your local resources to the outer internet without you needing to reconfigure your router or firewall.
There's a similar service called Show off which does much the same thing, although it seems a bit more limited.
You could try beame-insta-ssl, it's a good way to get free tunneling services and a free SSL certificate to expose your localhost. It's open source on git here: https://github.com/beameio/beame-insta-ssl/
Only port forwarding would work but you would need to connect to your server thru it's IP.
take a look at dyndns.com, there you can get a DNS ID that points to your server.
After that you set your router port 80 (HTTP) or 443(HTTPS) to point to your PC HTTP server port ( this can be any port you wish)
It depends of what do you mean localhost? Each system has its own "localhost".
If you mean that you have something like: "your system"<-->"gateway/wifi router"<-->Internet than you should configure port mapping from your router external interface to your server' IP address. Check your gateway/router documentation for more information.
Another tool for port forwarding through OpenVPN or SSH tunnel is https://portmap.io . If you're running multiple vhosts on local Apache, you can set host-header with required hostname.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
This is what I learned by doing some searching. These things were taken from many places. Please point out any missing things. (I have not yet tried this out, just want to clarify what I'm going to do)
For hosting I need to have a static IP. But my ISP provide dynamic IPs. So I used DynDNS (as Cuga adviced in this). I belive this will resolve my dynamic IP problem by mapping the domain name I choose with my current(dynmically assigned) actual IP.
Next is setting up my Xampp server. For this I need my computer's local IP which I can get using ipconfig (or ipconfig/all for full details) in Windows command prompt (lets say local IP is 192.168.1.6).Now I have to edit httpd.conf located in xampp/apache/conf folder. "ServerName" field has to be changed to 192.168.1.6:80.
This should allow anyone using the hostname i got from DynDNS to access my computers xampp/htdocs folder.
Please fill me in if there are missing parts.
Now I want to change the port that my clients can connet to my computer and the folder that I am going to host using it.
I know that I have to do protforwarding first and then configure apache to use that port instead of 80. Can someone explain me how to configure apache to use the new port.
And I want my clients who use my hostname I obtained from DynDNS, access some folder only that I specify (ex: xampp/htdocs/public) while I can access any file in xampp/htdocs using http://localhost/... . I think this what virtual hosts do. Can some one tell me how to do this.
Are there any solutions to the security issues that might arise and how to do this minimizing security issues?
Thank you.....
1) if you specify ServerName as 192.168.1.6:80, only people who use this server name will be able to access your machine - those on the outside network will not.you should use *.80
2) to make apache listen on a different port, you need to add "Listen" directive to your httpd.conf. for example
Listen 90
and change ServerName accordingly
3) to let outsiders access only folders you want them to access, you can protect the rest with an .htpasswd. or you'll have to create a separate virtual host.