I have an apache web server where most of my content is hosted, and then I have a node.js server I'm using for various tasks as well. I want users to be able to get information from my node.js server only through reverse proxy from my apache server. I understand how to set up a reverse proxy using mod_proxy on the apache side, but how can I restrict access to the node server except through an apache virtual host? One option I'm sure would work is to host my node server on a separate box and block any ip address except the apache server. Is there a way though that I could have them both running on the same machine and configure node to reject requests except from the apache server?
You could have the running on the same box. In the Node server have something like the following:
if(req.socket.remoteAddress !== '127.0.0.1'){
res.writeHead(403, {"Content-Type": "text/plain"});
res.write('403 Access Denied');
res.end();
} else {
// allow access
doSomething();
}
Of course, that allows other processes on the same box to connect to the Node server.
I've done this using iptables, allowing incoming connections to port 80 for the webserver. Access to port 3000 from the webserver is allowed because it's coming from the same host.
Here's an example rule file:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows connections for HTTP
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Put this file on your server (e.g. /etc/iptables.up.rules), and run the iptables command to update your iptables rules.
iptables-restore < /etc/iptables.up.rules
Related
I'm using Ubuntu and I have my subversion server running as you can see below:
root 31422 1 0 06:45 ? 00:00:00 /usr/bin/svnserve -d -r /var/svn/repos --log-file=/var/log/svnserve.log
I want to whitelist my subversion server, in other words, I want to allow only my IP address to checkout, commit, log, etc. Does svnserve support that?
NOTE: I'm not using Apache to access my subversion.
svnserve listens on TCP port 3690 by default, so you can use any firewalling solution the restrict access to this port. For example with iptables:
# Let the internal network access it
iptables -A INPUT -s 192.168.0.0/8 -p tcp --dport 3690 -j ACCEPT
# Let a specific external IP access it
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 3690 -j ACCEPT
# Drop all the rest
iptables -A INPUT -p tcp --dport 3690 -j DROP
It would however be better security-wise if you would switch to apache + dav_svn as you get SSL encryption and user authentication and it's not too complicated to setup: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html
I have an application server with some PHP code on it which needs to access a distant MongoDB server.
In order to do this I want to allow remote access on my MongoDB server, but only for the application server IP.
I understand that I need to change the bind_ip value located in /etc/mongodb.conf in order to do this.
I changed it from bind_ip=127.0.0.1 to bind_ip=111.222.33.44 (where 111.222.33.44 is my application server IP), but it doesn't work (my PHP code says "Connection refused"). However, if I set the value to bind_ip=0.0.0.0, it works. Why? I don't want to let anyone try to connect on my MongoDB server.
The bind_ip tells the mongod on which IP address to listen on for incoming connections. So if you set it to 127.0.0.1, the mongod would only listen on localhost, and – vice versa – you could only connect when on the same machine.
When setting it to a different IP address, each host able to communicate with said IP can connect to MongoDB.
In order to make sure only your application server can talk to your MongoDB instance, you need to configure a firewall either on the server running MongoDB or somewhere in front of it.
As far as I see mongodb only allow you to set a single IP for connection (or 0.0.0.0 for any IP)
What you can do to secure your mongo instance is to use firewall like iptables to only allow specific IP's.
Run the following commands for every IP you want to allow:
iptables -A INPUT -s 111.222.33.44 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 111.222.33.44 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
and than to block all else (blocked some other ports used by mongodb)
iptables -A INPUT -p tcp --dport 27017 -j DROP
iptables -A INPUT -p tcp --dport 27018 -j DROP
iptables -A INPUT -p tcp --dport 27019 -j DROP
have a look at the Make iptables Rules Persistent section of the mongo guide on how to make those rules survive reboot.
I've installed Confluence on Debian Linux 7.0. It runs on 8081 port (for connector, 8091 is used as TomCat server port). I've configured Apache to act as reverse proxy and serve on https://confluence.<mydomain>.com (SSL is configured on Apache side).
The configuration worked perfect unless I set up firewall rules. It still works as expected but became extremely slow (memory and CPU utilisations are low). Switching firewall off brings the performance back to normal. The set of firewall rules for IPv4 is:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp --dport 22 -j ACCEPT
# Allow all HTTP and HTTPS connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
IPv6 traffic is completely disabled:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
I'm using Oracle JVM (1.7), startup options are configured in the following way:
JAVA_OPTS="-Xms512m -Xmx2048m -XX:MaxPermSize=1024m $JAVA_OPTS -Djava.awt.headless=true"
Confluence version is "Confluence 5.4.2 - Standalone (TAR.GZ Archive)", license is Starter (10 users). Database is locally installed PostreSQL.
Anyone has an idea on what I'm doing wrong?
I was trying to reject a specific IP from connecting to my web server, so I used the following command:
# iptables -A INPUT -s 65.55.44.100 -j DROP
# service iptables save
After killing all httpd processes and restarting httpd, the IP is still showing up in netstat in the follwing format:
::ffff:65.55.44.100:port
Shouldn't the new iptable rule deny this IP from connecting?
That is IPv6 and it is managed via ip6tables.
ip6tables -A INPUT -s ::ffff:65.55.44.100 -j DROP
Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.