I know this may be very basic, but I have a website on my server that I would only like to be accessed by VPN. I have OpenVPN running on my Windows machine and it is connecting to my server with the VPN. When the VPN connects I can use the VPN's IP address to hit the site on my server. I would like to block all other methods such as the actual site IP or my domain name. Would I use htaccess? What is normally done for private access only.
Let's say that your server vpn ip is 10.1.2.3 then you should add to your apache configuration
Listen 10.1.2.3:80
so that you will bind Apache - i.e. will accept incoming requests - only to that address.
Also:
The Listen directive does not implement Virtual Hosts - it only tells
the main server what addresses and ports to listen on. If no
directives are used, the server will behave in the same
way for all accepted requests. However, can be used to
specify a different behavior for one or more of the addresses or
ports. To implement a VirtualHost, the server must first be told to
listen to the address and port to be used. Then a
section should be created for the specified address and port to set
the behavior of this virtual host. Note that if the is
set for an address and port that the server is not listening to, it
cannot be accessed.
i.e. you could leave the original listen directive (listen to all interfaces) and filter the access per virtual host having your "private" virtual host configured like that:
<VirtualHost 10.1.2.3:80>
see http://httpd.apache.org/docs/2.4/bind.html
Finally if for some reason you are restricted to .htaccess only, then you could do in .htaccess:
Order Deny,Allow
Deny from all
Allow from 10.1.2.1/24
i.e. allowing access only from your vpn subnet.
Take care that you will need to restart the web server after every change.
Related
i have windows server 2019 with iis 10 installed, ip and domain restriction enabled ip range 10.0.0.1=>10.0.0.240 - domain name : lo-server.com
the problem that am facing is : when adding a local ip address / Same ip with server / same network / example 10.0.0.66 to deny list it works perfectly it deny the access
but when i add an ip address outside the network / 192.168.20.10 / which is connected to a firewall ( FortiGate ) 10.0.0.200 the restriction doesn't work i need to add the firewall ip to deny it which i don't want to do it because i'll block all the ranges that are connected to the firewall.
how can i deny access to another network without adding the firewall
Microsoft considered the simplest case for you and implemented the so called Proxy mode, which you might try out,
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions#configuring-iis-for-proxy-mode
Deep down inside it checks x-forwarded-for header to see whether the incoming HTTP requests are through a proxy (the firewall in your case) and then apply the rules to decide whether to deny any request.
However, a real world proxy can manipulate the incoming requests in too many ways, so the proxy mode might fail you and you will have to switch to something like URL Rewrite module and write a more complicated rule to abort the desired requests.
You can use the IP Address and Domain Restrictions feature page to define and manage rules that allow or deny access to content for a specific IP address, a range of IP addresses, or a domain name or names.
Opens the Add Deny Restriction Rule dialog box from which you can define rules that allow access to content for a specific IP address, a range of IP addresses, or a DNS domain name.
More information you can refer to this link: IP Address and Domain Restrictions.
I've bought a .com domain from a provider on the internet. But, I want to host it locally.
I know that I can host a local web by using XAMPP or WAMP, but I want to make it accessible on the internet.
I also know that we could host a web to be accessible on the internet like ngrok, serveo, etc.
But, I want it with my .com domain that I bought. Could this possible? How to? Is there any references?
Thanks in advance ^_^
It seems to me you are asking 1. if it is possible to map a DNS entry such that traffic to the URL would be directed to a server in your personal network, and 2. if it is possible, how to do it.
The answer to the first question is yes, it is possible. The second question is difficult to answer because it depends on many factors such as your ISP, country, your web host provider's rules and services, etc.
First, you must determine two IP addresses:
The public IP address for your network (whatismyip.com)
The private IP address of the local machine which will host your website (typically (192.168.0.x)
Then, you must enable port forwarding in your router configuration, such that any requests to port 80 and/or port 443 on the external interface (public) will be forwarded to the internal port on which your website is hosted. If done properly, putting the public IP in your browser will take you to the website you are hosting locally.
Once you verify access via public IP, then you must go into your DNS entries on your domain host and create a CNAME record which points your root domain (www.yourwebsite.com) to your public IP address. That will route all traffic to your .com to your local server.
I do NOT recommend doing this however, and would caution against it, because it leaves your local server/network open to the public, and makes your domain vulnerable to things such as spoofing etc. To do it properly, you should obtain a security certificate for your domain through a Certificate Authority (CA) - generally, you can request a certificate via your domain hosting service. Once you have a certificate, you must upload the key to your server and configure your web application/hosting service to use the certificate, and then change your port forwarding to use 443 instead.
This is a very complex topic that takes time to learn, and your question is extremely non-specific. There is no good place to start really, and no shortage of information/resources available online. To start, you need to understand how your DNS works. For any local webhosting, port forwarding is important to learn. You should also determine if your ISP blocks the forwarding of certain external ports, which effectively disables any private webhosting.
Currently I have a https website setup locally on the Azure VM
with a custom hostname : <websitename>.<domainname>.com and bound to the localhost 127.0.0.2
in the hosts.etc on port 443
Consider example hostname as web.microsoft.com
Website bindings in IIS are
type:https
hostname:web.microsoft.com
port:443
IP Address:127.0.0.2
Hosts.etc
127.0.0.2 web.microsoft.com
In order to access it locally on the VM itself https://web.microsoft.com/admin/login.aspx works fine.
Port 443 is open on the Azure VM and inbound firewall rule is set in windows to allow connections on 443
If I try to access it outside of the network using the public IP address this doesn't work
eg https://45.60.200.110/admin/login.aspx.
I have other non-https websites which work fine and can be accessed through the public IP ,only difference is they are not having hostname in the IIS website bindings.
Am I missing something or do I need to make some additional config?
That's the problem.
The customized hostname cannot be accessed through the external network. Because the public network does not know this hostname, nor does it bind the hostname to your IP.
For example, you can enter other custom host names at will in the browser, and you will find the same error displayed.
The solution is that you need to purchase an available public domain name from the domain name provider and bind it to IP address.
If you insist on using custom domain name, it can only be used on the internal network. In addition to the configuration made on the server side, it is also need to add the host name and IP address in the hosts file of the client machine.
45.60.200.110 web.microsoft.com
my domain "https://example.com forwards to my webserver IP eg "0.0.0.1".
Is it possible that when I call the domain like "tcp://example.com:1234" to forward the request to a different IP like "0.0.0.2:1234"? Or is the only way to use a subdomain?
Thank You!
It's about a self-host or a shared host on a service provider?
If it's a self-host:
Someone receives your internet connection, in the business environment we usually use a firewall, so you just need to create/configure (on the firewall) your "nat rules" to work as you need with specific ports and IP.
If it's a service provider:
You must do check if they allow nat configuration (can be called port forward or publish rules)
Is it possible to change the URL used to access my local NodeJS server?
For instance, I have a Node server running on port 3000, so I can access this server directly through:
http://localhost:3000/
And other users on my network can access it through:
http://[MY_IP_ADDRESS]:3000/
Is it possible to forward this server to a local URL, like http://example/
I know that, in order to remove the port from the URL I need to bind the app on port 80, but I can't find anything about changing de URL.
Not very clear what you want, to be honest and your set-up. You use local computer or server in local network?
If you want URL in your local network isolated - that's not possible hence the URL protocol forwards requests from domain name to certain ip address.
If you want only internal access in your local network you only need to know your local ip address and make sure your firewall allows local connections. Depending on your OS run ip check in cli and voila - that's your ip.
If you want external connections then you need to have a static ip address which you should obtain from your internet provider and afterwards you need to alter you router settings and set up port-forwarding to your local machine. It will then listen to external connections on certain port and forward it to your local machine where nodejs listens (itself or through web-server). Here you can redirect your domain URL name via A-record to your static ip address of your router and port-forward to local machine.
Check out this guide for most routers for external port-forwarding.
UPD: checkout this answer