I would like to block any traffic that does not come for the websites hosted on my VPC.
My Server's IP address is 1.2.3.4 which hosts 3 websites.
Following requests should be allowed:
http:// example1.com or https:// www.example1.com
http:// example2.com/ or https:// www.example2.com
http:// example3.com/ or https:// www.example3.com
Following requests should be blocked (including server's IP address):
http: //1.2.3.4/ or https:// 1.2.3.4/
http:// anyotherdomain.com/ or https:// anyotherdomain.com/
List of allowed Host names could be read from a text file which I could update as and when required.
Is this feasible? If yes, what are the pros and cons. If not, thank you for the information.
Cheers
You can't do that in iptables as you would like to.
What you have aren't 3 real different hosts, but 3 virtual hosts: the main difference, as you already know, is that they share the same IP address.
As they share the same IP, kernel's netfilter just can't distinguish different requests from its layer: it's your web server application itself that "routes" the different requests to its proper website by looking at the "Host:" header inside the incoming HTTP packet and by determining which virtualhost should reply to it.
A good compromise (denying instead of dropping) for what you want to do would be to setup a configuration in your web server to make it catch and deny any connection that doesn't belong to your virtual hosts. Also there's no need to make a different list in this way, as your web server could dinamically determine if the requested host exists or not.
Here's an example, assuming you're running Apache, adding the catchall sentence to the top will make your server respond with a 403 message to any connection that won't be overridden by your examples.com websites:
<VirtualHost *:80>
ServerName catchall
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName example1.com
DocumentRoot /var/www/example1
<Directory /var/www/example1>
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
...
VirtualHost for example2.com (allowing all as above)
VirtualHost for example3.com (allowing all as above)
That's not the same as dropping right from the kernel of course, but it stops any further interation with your server aswell.
Related
I setup a local guacamole server for people in my work to access several VM's that we have running in the server. IN order to access guacamole the have to type http://ip:port/guacamole or after the host override I did in my pfsense DNS resolver http://guac.loc:port/guacamole. The problem is that even that some times is problematic for some of them so I want to do something like http://guac.loc so they can remember it easily. I did it for some with the hosta file but I can't different functionallities for some of them. So can anyone help on how to do that? Can I do it somehow from the web server? Or do I need to setup a DNS Server?
If I understand correctly, you want to have "simpler" URL, without port and "guacamole" path.
Guacamole by default runs under Tomcat on port 8080. However, you can put Apache in front of the Tomcat and proxy request to the guacamole. Apache can proxy and forward all requests to the Guacamole on the given port and path.
Something like the example below should work and also will redirect all http requests to the htpts. It is not mandatory to have SSL enabled, you can proxy http as well.
<VirtualHost *:80>
ServerName guac.loc
Redirect permanent / https://guac.loc/
</VirtualHost>
<VirtualHost *:443>
ServerName guac.loc
SSLEngine on
SSLCertificateFile /etc/ssl/certs/guac-loc.cer
SSLCertificateKeyFile /etc/ssl/private/guac-loc.key
SSLCACertificateFile /etc/ssl/certs/guac-loc-ca.crt
<Location /guacamole/>
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
Order allow,deny
Allow from all
</Location>
</VirtualHost>
I have a number of domains, each one pointing to my server IP..
I've pinged each domain to check the DNS, That's fine, all domains are pointing to the correct server.
All my domains route through the httpd.conf correctly via HTTP, except one domain where for some reason the Http <Virtual: *:80> entry is forwarding to https: (https://preprod.testsite.org.uk) - For security, this isn't the real URL.
Why would this entry fail when the others are fine?
Is there some way of debugging or tracing through the request from the DNS through to the server, through to the httpd.conf?
<VirtualHost *:80>
DocumentRoot "/var/www/html/testsite/production"
ServerName preprod.testsite.org.uk
<Directory /var/www/html/testsite/production>
DirectoryIndex index.php
order allow,deny
allow from all
AllowOverride all
</Directory>
</VirtualHost>
DNS has nothing to do with HTTP to HTTPs redirection.
Test it using curl (-v option) and check if the server is sending a Location to the client telling him to connect over HTTPs.
If curl says there's no redirection to https, might be the application itself telling the client to connect over https OR, maybe, some entry in browser HSTS cache.
Can it be dangerous to let domains linked to your apache2 without virtualhost to catch them ? Is it possible to configure apache to reject unknown domains ?
ex: domain is not referenced in a virtual host, therefore when apache2 answer to it, it takes the first virtualhost referenced on the server.
the same way, when we enter the ip address of the server, the first VH is taken to answer to the request.
Generally I would not consider it "dangerous", it more comes down to how do you want your server to behave. Personally, unless there is a reason not to do so, I always block unknown domains.
Apache can reject undefined domains by simply putting "catch all" domain at the top of the virtual hosts configuration file (or, in case you are using multiple conf files, in the alphabetically first file), and configuring that domain to unconditionally respond with 403 (or you can configure any other respond you find suitable):
<VirtualHost *:80>
ServerName default
RewriteRule ^ - [F]
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
# ...
</VirtualHost>
I am trying to create a URL for a site hosted through wampserver, but no matter what I do I am unable to get the URL to work. The site is online because I am able to connect through the servers IP address, though.
(I should also mention that this site is only available on an intranet)
hosts file:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 localhost
127.0.0.1 www.socialclub.com #also tried public/private IP, still only works locally
vhosts.conf:
# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
ServerName localhost
DocumentRoot "E:\Data\Users Apps\wamp\www\socialclub"
</VirtualHost>
<Directory "E:\Data\Users Apps\wamp\www\socialclub">
AllowOverride All
Order Allow,Deny
Allow from all
Options Indexes FollowSymLinks Includes ExecCGI
</Directory>
<VirtualHost *:80>
DocumentRoot "E:\Data\Users Apps\wamp\www\socialclub"
ServerName www.socialclub.com
</VirtualHost>
Every guide I've looked at says that this should work, but it only works locally. What do I need to do for the URL to work from other computers?
Ok I think the problem is your are not understanding what the HOSTS file is used for and what its scope is.
The HOSTS file only effects the single PC that it lives on. It is used to seed the windows DNS cache at boot time. So whatever you put in this file will have no effect on any other PC in your intranet.
There are a couple of solutions :
Lets assume your PC running WAMPServer has the ip address 192.168.1.10:
You could go to each PC in your intranet and make this change to the
HOSTS file on each PC
192.168.1.10 socialclub.com
people normally think this is too much hassle especially if they have more than 5-6 PC's to mod
You could install a local DNS Server, or make use of an existing
local DNS Server. Then as long as all the PC's in your intranet are
using that DNS Server you add the domain name to that DNS Server.
people normally think this is a good idea, but it can be quite complicated to get this right and not loose access to the real DNS servers out there on the web
A couple of changes I would suggest to your httpd-vhost.conf file
First leave localhost pointing to the original wampserver homepage, but only allow access from the PC running WAMPServer. The tools on the homepage can be a very useful for debug/diagnostics/etc, but only allow access to locahost from the PC running WAMPServer.
Second put the <Directory></Directory> block inside the Virtual Host definition. This allows you to make each virtual hosts security specific to that virtual host.
# Should be the first VHOST definition so that it is the default virtual host
# Also access rights should remain restricted to the local PC and the local network
# So that any random ip address attack will recieve an error code and not gain access
<VirtualHost *:80>
DocumentRoot "c:/wamp/www"
ServerName localhost
<Directory "c:/wamp/www">
AllowOverride All
Require local
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "E:\Data\Users Apps\wamp\www\socialclub"
ServerName www.socialclub.com
<Directory "E:\Data\Users Apps\wamp\www\socialclub">
AllowOverride All
Options Indexes FollowSymLinks Includes ExecCGI
# assuming your subnet equates to this range
# and you are using Apache 2.4.x
# its not necessary to allow access from all in an intranet
# in fact it might be dangerous
Require ip 192.168.1
</Directory>
</VirtualHost>
I've this configuration for my virtual host and runs with real domains. For testing purpose I need create same virtual host with non real domain (i.e. domain10). Considerated that the browser check the name of domain of virtual host, I think using something like 127.0.0.1. But I've no idea to realize this.
<VirtualHost *:80>
ServerAdmin info#domain10.org
ServerName domain10.org
ServerAlias domain10.org
DirectoryIndex index.html index.htm index.php
DocumentRoot /home/domain10.org/
<Directory /home/domain10.org/>
Options -Includes -Indexes -FollowSymLinks -ExecCGI +MultiViews
AllowOverride none
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
You can use the /etc/hosts file for this purpose. There should already be a line in it beginning with 127.0.0.1. Just add domain10.org to the list of hosts that resolves to this address.
For example, if the existing line is:
127.0.0.1 localhost localhost.localdomain
Just extend it to:
127.0.0.1 localhost localhost.localdomain domain10.org
Then (on this machine only) domain10.org will resolve to 127.0.0.1. If you are testing on the same machine, you can enter http://domain10.org/ in your browser to reach your local web server.
If you need to reach this host over the Internet, then a different approach is needed. Look for a line for the external IP address of the server in its /etc/hosts file and modify it similar to the above instructions. If such a line does not exist, add one.
On the client machine, do the same (using /etc/hosts for a Linux box or %WINDIR%\system32\drivers\etc\hosts for a Windows box). You should then be able to reach the server from the client using this name.