Join Log in
Score:0
avatar Server

one ip resolving 2 websites - Ubuntu 20.04 configuation to allow specific domain

cn flag
jaykhatri

So, I recently setup digital ocean droplet with Ubuntu 20.04 with nginx web server. I one website default say example.com usinh nginx settings and then the IP of digital ocean as a record in domain dns panel.

So the example.com is working fine, but unknowing I put the same IP in another domain say example1.com and now both example1.com and example.com are opening the same website.

So, the question arise that any other domain who know my IP can use this IP to show the website which should not be allowed.

I am not clear on what configuration at OS level or server level has to be done to prevent unwanted domains to use this IP or add some domain on server to allow specific domain only.

    server {
        listen 80;
        return 301 https://$host$request_uri;
    }
    
    server {
            listen 443 default ssl http2;
            server_name example.com;
            ssl_session_cache  builtin:1000  shared:SSL:10m;
            ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
            ssl_prefer_server_ciphers on;
            gzip on;
            gzip_static on;
            gzip_types font/woff2 text/plain text/css application/json application/x-javascript text/xml application/xml application/xml>
            gzip_proxied  any;
            gzip_vary on;
            gzip_comp_level 6;
            gzip_buffers 16 8k;
            gzip_http_version 1.1;

Here is the full configuration of nginx:

configuration file /etc/nginx/sites-enabled/ug:

server {
    listen 80 default_server;
return 404;
   # return 301 https://$host$request_uri;
}

server {
    listen 443  ssl http2;
    server_name example.com;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    gzip on;
    gzip_static on;    
    gzip_types font/woff2 text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    gzip_proxied  any;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
#   return 404;

    location / {
        index index.html
        add_header Pragma "no-cache";
        add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
        try_files $uri $uri @universal;
        root /home/winnc/www/us/dist/ecommcerce/server;
    }

    location @universal {
        #port defined in your server.js
        proxy_pass http://localhost:4000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /admin {
        index index.html
        add_header Pragma "no-cache";
        add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
        try_files $uri $uri/admin @universal-admin;
        root /home/winnc/www/us/dist/ecommerce-admin/server/dist/ecommerce-admin/browser;
    }

    location @universal-admin {
        #port defined in your server.js
        proxy_pass http://localhost:4001; 
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /api/ {
            proxy_pass http://localhost:5000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection keep-alive;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        proxy_redirect http://localhost:5000 https://example.com;
        root /home/winnc/www/us;
    }

        location /content/ {
             proxy_pass http://localhost:5000;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection keep-alive;
             proxy_set_header Host $host;
             proxy_cache_bypass $http_upgrade;
         proxy_redirect http://localhost:5000 https://example.com;
        root /home/winnc/www/us;
    }


#    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


#server {
#    if ($host = example.com) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


#   server_name example.com;
#    listen 80;
#    return 404; # managed by Certbot


#}
42
0 + 0
ip
Score:1
avatar Server
us flag
Tero Kilkanen

nginx has a concept of default virtual host, which is served to HTTP requests that don't have a corresponding virtual host configured.

The exact algorithm for deciding the virtual host to use is described in nginx documentation.

If the two virtual hosts in your question are the only ones configured, then they are also the default virtual hosts for the corresponding ports.

To configure a proper default virtual host, you need to add the following server blocks:

server {
    listen 80 default_server;
    return 404;
}

server {
    listen 443 default_server ssl http2;
    return 404;
}

This tells nginx to return HTTP 404 status code for all virtual hosts except the virtual host configured with a server_name.

You also need to remove the meaningless default keyword in the current listen directive, so that it becomes

listen 443 ssl http2;

Overall, you need to have four server blocks:

  1. default_server for port 80
  2. default_server for port 443
  3. example.com for port 80
  4. example.com for port 443
0 + 0
cn flag
jaykhatri
As soon as I change the settings either both the domains gets 404 or both works. But I just want one domain to work but other not.
0
Reply
us flag
Tero Kilkanen
Please edit your question and add the output of `nginx -T` so that we see your full configuration.
0
Reply
cn flag
jaykhatri
I edited the question
0
Reply
us flag
Tero Kilkanen
You need to preserve your original `server` block for HTTP traffic, and add the `default_server` block in my answer separately.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.