I am managing a subdomain using nginx conf files. I am able to get a working subdomain up, and deny access to it (resulting in 403) by including deny all;. However, when I try to add allow 1.2.3.4; (not posting my real IP address) right above it (this is where I understand you have to put it to allow access to your own IP address), I am still getting 403 when I try to access the subdomain on my browser (in firefox private mode). I got my IP address through https://www.whatismyip.com/, and I am using the one given under "My Public IPv4 is: ". Is this the correct IP address I should be using? If not how should I go about finding the right IP address to allow?
Maybe this will help if you want to access your resource via nginx locally. You should put it in the root block of a subdomain.
allow 127.0.0.1;
deny all;
Related
I have nginx with two resources /public_url and /private_url behind Alteon load balancer. I can restrict access to private_url using nginx.conf:
location /private_url {
include whitelist.conf;
deny all;
}
Note that public_url remains available from any IP aadd
This works when I access nginx directly. However, when I access nginx through Alteon I can only see Alteon's IP address. As a result, I cannot distinguish whitelisted and blacklisted IP addresses.
What is the right way to organize IP filtering to private_url, but serve public_url to everyone when nginx is behind alteon?
A load balancer by default removes all of the client's headers when passing the request to an upstream. Including the ip address and replacing it with the server's ip. In nginx as a load balancer you would add proxy_set_header X-Real-IP $remote_addr;. I'm not sure about Alteon but I found this link explaining how to achieve that: https://support.radware.com/app/answers/answer_view/a_id/15085/~/how-to-insert-x-forwarded-header-for-piped-server-load-balanced-traffic-to-real
I just migrated my Drupal 8 site from an Apache server to Nginx.
I applied the configuration below :
https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
I do not understand what this block is for. Should I enter the IP address of my server instead of this one ?
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
The rule will only be useful if you have .txt or .log files in a directory accessible through the web server.
If that is the case, for security reasons, you should list all ip addresses that can access those files. All other addresses will be banned.
However, it is very unlikely that you want to serve log files via http, so you could just deny all.
More information in the nginx docs:
http://nginx.org/en/docs/http/ngx_http_access_module.html
I'm managing a site and the site is built in Wordpress. It gets ENORMOUS amount of traffic from bots and we want to block all of them except for important bots like Google Yahoo Bing Baidu. We use cloudflare and I want to block them from two layers, Cloudflare firewall and htaccess file. In htaccess file, I know how to block a single IP address and last trailing IPs of a IP range like 123.123.123.0/16
However, I need to block following IPs
69.30.192.0 - 69.30.255.255
93.55.115.64 - 93.55.115.71
How do you set rules of this in htaccess file? Cloudflare seems to follow same rule.
You've almost got it. The /16 notation is actually called CIDR Notation.
The number indicates how many bits to match from left to right. The Wiki page explains it in depth.
Or... you can just take my word for it and use a tool like this one I found: http://www.ipaddressguide.com/cidr#range
You can then use the deny from in your .htaccess just as you would for a single ip with the given values:
Order Allow,Deny
Deny from 69.30.192.0/18
Deny from 93.55.115.64/29
Allow from all
Not sure how reliable the source is, but this is from clockwatchers
http://www.clockwatchers.com/htaccess_block.html
To Block a single ip address
order allow,deny
deny from 127.0.0.1
allow from all
This will refuse all GET and POST requests made by IP address 127.0.0.1, an error message is shown instead
To block multiple ip addresses, list them one per line
order allow,deny
deny from 127.0.0.1
deny from 127.0.0.2
deny from 127.0.0.3
allow from all
To block an entire ip range
deny from 127.0.0
This will refuse access for any user with an address in the 127.0.0.0 to 127.0.0.255 range.
Edit: Just found a similar question here
How to Block an IP address range using the .htaccess file
Looks like out answers are similar too.
The answer from #Nick is good, so on the side of configuring the .htaccess you should go his way.
My answer will be about another issue detected in your question: you are willing to block the IP range 69.30.192.0 - 69.30.255.255, but a quick search on the ARIN database (WHOIS for IP addresses) shows that this range is not belonging to a single person.
In fact, by doing this, you might potentially deny your website to non-bots.
Eg:
69.30.192.0 - 69.30.192.31 belongs to LEAKY****.COM
...
69.30.193.0 - 69.30.193.15 belongs to TA*****, Abdelkader
etc.
We're having a setup where our server, running a symfony2 application, is inside the client's network.
Is there a way to allow only the /api* path to be accessed from an external network (=the internet).
I'm assuming the best approach is by configuring nginx but i can only find blocking all or no url.
Try this:
location /api/ {
# Deny private IPv4 address spaces
deny 10.0.0.0/8;
deny 172.16.0.0/12;
deny 192.168.0.0/16;
allow all;
}
See http://wiki.nginx.org/HttpAccessModule for more information.
I have htaccess file like this:
<Limit GET HEAD POST>
order deny,allow
allow from xx.xx.xx.xx/xx
allow from xx.xx.xx.xx/xx
allow from xx.xx.xx.xx/xx
...doesn't matter....some ips...
deny from all
</Limit>
And this ip adressess in MYBB:
5.10.83.26
5.10.83.7
5.10.83.40
every day making my server overloaded, and than it is stucked, I have to wait for host to flush-hosts, I haven't permission...
How those ip adresses avoiding my restrictions in htaccess? -Yes, I am sure they are not allowed.
I use WordPress as root, and subfolder is MyBB. Those adresses I see in MyBB.
At least how can I add deny from 5.10.83.00/26 to htaccess and keep deny from all.
I can't tell you how there getting through your restrictions, but according to this whois result for 5.10.83.* the people to ask can be reached at 'abuse#softlayer.com'
Softlayer is a cloud platform and whoever is causing your DOS is one of there clients ... good luck