Join Log in
Score:0
Tom avatar Server

Block access directly via IP on Apache server

bf flag
Tom

I have a Load Balancer provided by Digital Ocean that has a public IPv4, which can be accessed via HTTP and HTTPs by any user (there is no way to block at source).

To prevent users and scripts from accessing the server directly via IP, I added a rule in VirtualHost on Apache servers (VPS).

In my tests, the return is always 403, that is, theoretically the IP access block worked.

But I noticed that there was an access coming with the load balancer's private IP (LAN of VPS) that returned the HTTP 200 code, that is, the person/script was able to connect successfully (Public-IPv4-Load-Balancer > Local Network > My VPS).

Below is the restriction in VirtualHost 000-default.conf, both for HTTP and HTTPS (This setting is the same on both Apache servers (VPS)).

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        LogLevel notice core:info
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        ErrorLog syslog:local1

        Header append X-FRAME-OPTIONS "SAMEORIGIN"

</VirtualHost>

<VirtualHost *:80>
    ServerName VPS-PUBLIC-IP
    Redirect 403 /
    ErrorDocument 403 "The operation had an error."
    DocumentRoot /var/www/html
</VirtualHost>
<VirtualHost *:80>
    ServerName LOAD-BALANCER-PUBLIC-IPV4
    Redirect 403 /
    ErrorDocument 403 "The operation had an error."
    DocumentRoot /var/www/html
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html

        ServerName LOAD-BALANCER-PUBLIC-IPV4
        Redirect 403 /
        ErrorDocument 403 "The operation had an error."

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on

        SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

This is the log of successful access.

PRIVATE-IP-LOAD-BALANCER - - [15/Jun/2021:11:20:10 -0300] "GET / HTTP/1.0" 200 1223 "-" "https://example.com:Company-Censured Analyze Provide."

Are there any settings on my server that are incorrect?

52
0 + 1
ezra-s avatar
ru flag
ezra-s
Why don't you just 'Require all denied' instead of that 'Redirect 403 /' ? Also, ALWAYS define ServerName in all virtualhosts.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.