[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2050
  • Last Modified:

Deny direct IP access to server

How do I deny direct IP access to my server?  I would like to have access only from https://mail.domain.tld not from https://xxx.xxx.xxx.xxx.  Below is the vhost.conf.

#######################################
#OWA Access

NameVirtualHost xxx.xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName mail.domain.tld
ServerAdmin hostmaster
DocumentRoot /var/www/webmail

RewriteEngine   On
RewriteRule     ^(http|ftp)://.*        -       [F]
RewriteRule     ^(.*)?/iisadmin/?       -       [F]
RewriteRule     ^(.*)?/samples/?        -       [F]
RewriteRule     ^(.*)?/scripts/?        -       [F]
RewriteRule     ^(.*).ida$              -       [F]
RewriteRule     ^(.*).htw$              -       [F]
RewriteRule     ^(.*)./_vti/_.          -       [F]
RewriteRule     ^(.*).idq$              -       [F]
RewriteRule     ^(.*).exe$              -       [F]
RewriteRule     ^(.*)?/winnt/?          -       [F]

# only reverse proxy [P] exchange directories public, exchweb, exchange
# only proxy letters, numbers, forward slash, dot, underscore, hyphen, space
# other characters can be added as needed (e.g. \=\@\#\$\*\&\%)
RewriteRule ^/public([a-zA-Z0-9/\.\_\-\ ]*)$    https://mail.domain.tld$
RewriteRule ^/exchweb([a-zA-Z0-9/\.\_\-\ ]*)$   https://mail.domain.tld$
RewriteRule ^/exchange([a-zA-Z0-9/\.\_\-\ ]*)$  https://mail.domain.tld$

# send everything else to forbidden
RewriteRule .* - [F]
RewriteLog      /var/log/apache2/rewrite_log
RewriteLogLevel 1

RequestHeader set Front-End-Https "On"
ProxyRequests Off
ProxyPreserveHost On
ProxyVia On
SSLEngine On
SSLCertificateFile /etc/ssl/ssl.crt
SSLCertificateKeyFile /etc/ssl/ssl.key

<Location /exchange>
ProxyPass http://mail.domain.tld/exchange
ProxyPassReverse http://mail.domain.tld/exchange
SSLRequireSSL

</Location>
<Location /exchweb>
ProxyPass http://mail.domain.tld/exchweb
ProxyPassReverse http://mail.domain.tld/exchweb
SSLRequireSSL

</Location>
<Location /public>
ProxyPass http://mail.domain.tld/public
ProxyPassReverse http://mail.domain.tld/public
SSLRequireSSL
</Location>

</VirtualHost>
0
bdebelius
Asked:
bdebelius
  • 4
  • 3
  • 2
  • +2
1 Solution
 
ahoffmannCommented:
NameVirtualHost mail.domain.tld:443
<VirtualHost mail.domain.tld:443>
0
 
mrielfCommented:
Place this in your httpd.conf

RewriteCond %{HTTP_HOST}   !^mail\.domain\.tdl [NC]
RewriteRule ^/(.*)$         https://mail.domain.tdl/$1 [L,R]

To redirect all queries to https://mail.domain.tdl/

or you can simply deny access, just replace the RewriteRule line with this:

RewriteRule ^/*   - [L,F]
0
 
bdebeliusAuthor Commented:
I added this after the /winnt/ rule, but I am still able to connect using just the IP address.  Any thoughts?

RewriteRule     ^(.*)?/winnt/?          -       [F]
RewriteCond %{HTTP_HOST}   !^mail\.domain\.tdl [NC]
RewriteRule ^/*   - [L,F]
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
ahoffmannCommented:
rewriting does not solve your problem
you need to have a name-based (virtual) host, if it is a virtual host you need to deny access to the primary one (see my suggestion)
0
 
mrielfCommented:
Stupid question, but server was restarted?
0
 
mrielfCommented:
ahoffmann: Why rewriting isn't good? I checked it on my test system and it works well (the diference betwen asker's and my system is my system isn't secure and reachable through port 80)
0
 
bdebeliusAuthor Commented:
yes the server was restarted.
0
 
mrielfCommented:
Then I don't know what is wrong...

I tested this on my system and it worked...

What apache you using?
0
 
samriCommented:
i would personally go with recommendation from ahoffmann - KISS (Keep It Simple and Stupid).

mod_rewrite would do just fine, but it would tax the server a bit.

Just define a Vhost with "Servername 1.2.3.4" and do the necessary (blocking) there.

NameVirtualHost mail.domain.tld:443

# for the actual server
<VirtualHost mail.domain.tld:443>
  ServerName mail.domain.tld
#...
</VirtualHost>

#catch the request using IP address
<VirtualHost mail.domain.tld:443>
  Servername 1.2.3.4
  Deny all
</VirtualHost>
0
 
samriCommented:
Another thing to look at would be the "position" of Vhost container.  Apache tend to use the first defined Vhost for request not matching any other Vhost definition.  So, if you had the Vhost for mail.domain.tld as the first Vhost, and the remaining Vhost defined later in the config section, the apache tend to be serving pages from mail.domain.tld, for any request it received, not matching any other defined Vhost.

With this fact, you could rearrange (or create) a default Vhost as the first one in the list which should take care of *undefined*  (Vhost) request.

This should also work.

0
 
ahoffmannCommented:
>  Apache tend to use the first defined Vhost for request not matching any other Vhost definition.
samri, look at the question: port 443
(assuming SSL fon 443) their could only be *one* vhost in apache for SSL, anything else is handled by the default
server.
0
 
bugmenotworksdamnitCommented:
I got this to work by using * for the NameVirtualHost. All undefined ServerName's get directed to the first VirtualHost. Knowing this I set up a bogus initial VirtualHost that directed traffic to an empty directory:

NameVirtualHost *

<VirtualHost *>
     ServerName default         #call it 'default' or whatever you like. but there has to be something here
     DocumentRoot /var/www/empty/directory
</VirtualHost>

# all valid virtual hosts come after the default one. you change ServerName and DocumentRoot to fit your situation.

<VirtualHost *>
     SerrverName mysite.web.com
     DocumentRoot /var/www/mysite
</VirtrualHost>

<VirtualHost *>
     ServerName myothersite.web.com
     DocumentRoot /var/www/myothersite
</VirtualHost>
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now