Deny direct IP access to server

How do I deny direct IP access to my server?  I would like to have access only from https://mail.domain.tld not from https://xxx.xxx.xxx.xxx.  Below is the vhost.conf.

#######################################
#OWA Access

NameVirtualHost xxx.xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName mail.domain.tld
ServerAdmin hostmaster
DocumentRoot /var/www/webmail

RewriteEngine   On
RewriteRule     ^(http|ftp)://.*        -       [F]
RewriteRule     ^(.*)?/iisadmin/?       -       [F]
RewriteRule     ^(.*)?/samples/?        -       [F]
RewriteRule     ^(.*)?/scripts/?        -       [F]
RewriteRule     ^(.*).ida$              -       [F]
RewriteRule     ^(.*).htw$              -       [F]
RewriteRule     ^(.*)./_vti/_.          -       [F]
RewriteRule     ^(.*).idq$              -       [F]
RewriteRule     ^(.*).exe$              -       [F]
RewriteRule     ^(.*)?/winnt/?          -       [F]

# only reverse proxy [P] exchange directories public, exchweb, exchange
# only proxy letters, numbers, forward slash, dot, underscore, hyphen, space
# other characters can be added as needed (e.g. \=\@\#\$\*\&\%)
RewriteRule ^/public([a-zA-Z0-9/\.\_\-\ ]*)$    https://mail.domain.tld$
RewriteRule ^/exchweb([a-zA-Z0-9/\.\_\-\ ]*)$   https://mail.domain.tld$
RewriteRule ^/exchange([a-zA-Z0-9/\.\_\-\ ]*)$  https://mail.domain.tld$

# send everything else to forbidden
RewriteRule .* - [F]
RewriteLog      /var/log/apache2/rewrite_log
RewriteLogLevel 1

RequestHeader set Front-End-Https "On"
ProxyRequests Off
ProxyPreserveHost On
ProxyVia On
SSLEngine On
SSLCertificateFile /etc/ssl/ssl.crt
SSLCertificateKeyFile /etc/ssl/ssl.key

<Location /exchange>
ProxyPass http://mail.domain.tld/exchange
ProxyPassReverse http://mail.domain.tld/exchange
SSLRequireSSL

</Location>
<Location /exchweb>
ProxyPass http://mail.domain.tld/exchweb
ProxyPassReverse http://mail.domain.tld/exchweb
SSLRequireSSL

</Location>
<Location /public>
ProxyPass http://mail.domain.tld/public
ProxyPassReverse http://mail.domain.tld/public
SSLRequireSSL
</Location>

</VirtualHost>
bdebeliusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
NameVirtualHost mail.domain.tld:443
<VirtualHost mail.domain.tld:443>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrielfCommented:
Place this in your httpd.conf

RewriteCond %{HTTP_HOST}   !^mail\.domain\.tdl [NC]
RewriteRule ^/(.*)$         https://mail.domain.tdl/$1 [L,R]

To redirect all queries to https://mail.domain.tdl/

or you can simply deny access, just replace the RewriteRule line with this:

RewriteRule ^/*   - [L,F]
0
bdebeliusAuthor Commented:
I added this after the /winnt/ rule, but I am still able to connect using just the IP address.  Any thoughts?

RewriteRule     ^(.*)?/winnt/?          -       [F]
RewriteCond %{HTTP_HOST}   !^mail\.domain\.tdl [NC]
RewriteRule ^/*   - [L,F]
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

ahoffmannCommented:
rewriting does not solve your problem
you need to have a name-based (virtual) host, if it is a virtual host you need to deny access to the primary one (see my suggestion)
0
mrielfCommented:
Stupid question, but server was restarted?
0
mrielfCommented:
ahoffmann: Why rewriting isn't good? I checked it on my test system and it works well (the diference betwen asker's and my system is my system isn't secure and reachable through port 80)
0
bdebeliusAuthor Commented:
yes the server was restarted.
0
mrielfCommented:
Then I don't know what is wrong...

I tested this on my system and it worked...

What apache you using?
0
samriCommented:
i would personally go with recommendation from ahoffmann - KISS (Keep It Simple and Stupid).

mod_rewrite would do just fine, but it would tax the server a bit.

Just define a Vhost with "Servername 1.2.3.4" and do the necessary (blocking) there.

NameVirtualHost mail.domain.tld:443

# for the actual server
<VirtualHost mail.domain.tld:443>
  ServerName mail.domain.tld
#...
</VirtualHost>

#catch the request using IP address
<VirtualHost mail.domain.tld:443>
  Servername 1.2.3.4
  Deny all
</VirtualHost>
0
samriCommented:
Another thing to look at would be the "position" of Vhost container.  Apache tend to use the first defined Vhost for request not matching any other Vhost definition.  So, if you had the Vhost for mail.domain.tld as the first Vhost, and the remaining Vhost defined later in the config section, the apache tend to be serving pages from mail.domain.tld, for any request it received, not matching any other defined Vhost.

With this fact, you could rearrange (or create) a default Vhost as the first one in the list which should take care of *undefined*  (Vhost) request.

This should also work.

0
ahoffmannCommented:
>  Apache tend to use the first defined Vhost for request not matching any other Vhost definition.
samri, look at the question: port 443
(assuming SSL fon 443) their could only be *one* vhost in apache for SSL, anything else is handled by the default
server.
0
bugmenotworksdamnitCommented:
I got this to work by using * for the NameVirtualHost. All undefined ServerName's get directed to the first VirtualHost. Knowing this I set up a bogus initial VirtualHost that directed traffic to an empty directory:

NameVirtualHost *

<VirtualHost *>
     ServerName default         #call it 'default' or whatever you like. but there has to be something here
     DocumentRoot /var/www/empty/directory
</VirtualHost>

# all valid virtual hosts come after the default one. you change ServerName and DocumentRoot to fit your situation.

<VirtualHost *>
     SerrverName mysite.web.com
     DocumentRoot /var/www/mysite
</VirtrualHost>

<VirtualHost *>
     ServerName myothersite.web.com
     DocumentRoot /var/www/myothersite
</VirtualHost>
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.