I'm running a public proxy server and would like to block clients from accessing local devices on the server.
Local devices are on 10.0.0.0/8.
The proxy server runs on 127.0.0.1:31336. Access to the proxy server is made by reverse proxy on nginx which is listening on a public IP address.
Would an iptables rule like "reject 127.0.0.1:31336 from accessing 10.0.0.0/8" work? If so can I get an example iptables command to do so?
If not, would I have to work with network namespaces to achieve what I am seeking for?
why would you even use iptables for blocking client of a nginx, anyway follow this tutorial it will show you how you can allow or deny an ip or range ip : https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/
Related
I set up a wireguard instance in a docker container and use nginx proxy manager to set up all reverse proxy settings. Now I want the website to be only accessible when I am connected to the VPN.
I tried to add localhost as the forward address and set the only allow to the local server ip, but it doesn't work and just displays a cant connect to server message in my browser.
Add this to a server block (or a location or http block) in your nginx configuration:
allow IP_ADDRESS_OR_NETWORK; # allow only connections from Wireguard VPN network
deny all; # block the rest of the world
The allowed network has to match your specific Wireguard VPN network. All peer IP addresses which should have access must be part of the network range. Depending on your NAT settings, you should verify the actual IP address or network by checking the access log: tail -f /var/log/nginx/access.log
Be sure to reload your nginx config to apply changes: service nginx reload
See also http://nginx.org/en/docs/http/ngx_http_access_module.html for usage hints on the HTTP access module.
In the project I am working on, there is an application that works on many docker containers. To access one of the containers I need to add the following path in the /etc/hosts file
127.0.0.1 my.domain.com
Then App of course is available on http://my.domain.com in my computer.
Unfortunately, This is large complicated application and I cannot change the configuration to add a port (then i would use 192.168.X.X:PORT from other device)? so How I would to be able to access the application from other device in local network (WIFI or other way)? I try using localtunnel or ngrok but this works too slow and aren't good in this case.
Maybe someone knows another way?
If your server is running on ip 192.168.X.X on you local network, adding the line:
192.168.X.X my.domain.com
to the second device on your network should do the job
Another solution is to run a proxy server on the same instance as your server and send all the requests to the proxy server. The proxy server will listen on another port but it will forward all the requests to my.domain.com with the original port, it will work since it uses the same /etc/hosts.
try using nginx-webserver proxy it's free version it offers the feature what you want.
add a reverse proxy and host your app with my.domain.com
OR
Host your app on port :80 ie. the default port
I have nginx server behind reverse proxy (Cloudflare) and want to block ips based on the xforwarded ip sent in the header.
I have tried the following iptables string matching rule :
iptables -A INPUT -m string --string "1.1.1.1" --algo bm --to 1024 -j DROP
However this doesn't seem to do anything.
Why isn't the string matching working ? I'm sure the real ip is sent in the packet , either as X-Forwarded-For or CF-Connecting-IP.
Kernel is 3.4.x and iptables 1.4.7, so no issues there .
As you mention CF-Connecting-IP is the best way to get the real IP behind CloudFlare. This is better than X-Forwarded-For as that can be changed if your server is then placed behind a load balancer or another reverse proxy (X-Forwarded-For even supports a comma separated list in it's RFC).
CloudFlare should only pass secure traffic and only web traffic to CloudFlare supported web server ports, therefore you can whitelist CloudFlare IPs and enable IPTables on other IPs. You can then block IPs in the Firewall tab of the CloudFlare site in question, then looking under IP Firewall. Non-CloudFlare traffic can then have IPTables applied to it.
We use the official Mod_CloudFlare on our Apache servers in order to correctly get the IP Address to our web server and ultimately into the web application itself. On NGinX you can try the ngx_http_realip_module.
On a VPS with a static, publicly routable IP, I have a simple web server running (on port 8080) in a container that exports port 8080 (-p 0.0.0.0:8080:8080).
If I spin up another container on the same box and try to curl <public ip of host>:8080 it resolves the address, tries to connect but fails when making the request (it just hangs).
From the host's shell (outside containers), curl <public ip of host>:8080 succeeds.
Why is this happening? My feeling is that, somehow, the virtual network cards fail to communicate with each other. Is there a workaround (besides using docker links)?
According to Docker's advanced networking docs (http://docs.docker.io/use/networking/): "Docker uses iptables under the hood to either accept or drop communication between containers."
As such, I believe you would need to setup inbound and outbound routing with iptables. This article gives a solid description of how to do so: http://blog.codeaholics.org/2013/giving-dockerlxc-containers-a-routable-ip-address/
I have some linux application that runs on a VM and listens TCP connections on different ports. The VM is behind a NAT. I would like to install a Proxy on that VM to listen connections and to redirect them through correctly ports.
I would like to redirect the traffic(maybe iptables) from the VM's host to the Proxy, inside the VM.
Can you tell me what Proxy should I use and give me a short configuration example?
What you're talking about looks like using a server software within a guest on the host network, which would be perfectly served using Port Forwarding. See VMWare documentation