I'm coming with a question and struggling because I already made setup LEMP + CSF FireWall + Nginx WordPress block + OpenVPN.
So - I have a problem with blocking access to wp-login.php file and /wp-admin directory at the server.
Already I made successful blocking for anybody there, but I can't make access for connections from VPN tunneling.
Legend:
IP: 1.1.1.1 - server IP
IP: 10.8.0.2 - IP what I've got at VPN connection
It's my location blocking block at nginx:
location ~ ^/(wp-admin|wp-login\.php) {
allow 1.1.1.1;
deny all;
}
It's my OpenVPN conf file:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
I tried to allow connections for 10.8.0.0/24 and for server IP... and still, I'm getting error 403 when I'm trying to get there through VPN.
Edit
I tried to add redirection to VPN push "redirect-gateway def1" and in location blocks, I changed from 1.1.1.1 to 10.8.0.0/24 and still nothing (even with 1.1.1.1 don't work).
Edit 2
I changed assigned IP from VPN to the client 16.8.*.* (/24) address. I can't access to file (wp-*) when I'm giving in block allow 1.1.1.1; allow 16.8.0.0/24; deny all.
It's training VPS so I can struggle more with it :D
What could be happening is that you are trying to access your site using the public IP of your VPN but not the private, seems that you already tried this:
location ~ ^/(wp-admin|wp-login\.php) {
allow 1.1.1.1;
allow 10.80.0.0/24;
deny all;
}
But now try to check what is current IP doing the request, give a try to this:
location /myip {
default_type text/plain;
return 200 "$remote_addr\n";
}
And then query yoursite/myip it should print the IP you are using to access and the one probably you want to only allow. (in case is a public IP probably the IP will match the one printed here https://myip.country/ip)
Related
I use nginx with simple auth rules such as the following:
location /api {
#...
deny 192.168.1.2;
allow 10.128.99.1;
allow 127.0.0.1;
deny all;
}
This works great, but sometimes a users IP changes, then I have to update the nginx.conf file with the new IP. Is there any way to use machine name instead, such as the following:
location /api {
#...
deny 192.168.1.2;
allow MachineName;
allow 127.0.0.1;
deny all;
}
I tried that, but nginx gave an error when I tried to start the service. I can use ping to look up the IP, but I am just trying to automate the process. Thanks in advance.
There is Nginx HTTP rDNS module which allows doing just the very thing you're asking about:
This module allows to make a reverse DNS (rDNS) lookup for incoming connection and provides simple access control of incoming hostname by allow/deny rules
The only downside is that you'll have to disable HTTP/1.1 keepalive due to outstanding bug, which was never fixed.
Installation on CentOS systems (6, 7 and 8) can be done using commercial GetPageSpeed repository (requires subscription):
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-rdns
I have neo4j community server edition 3.4.5 and which will be giving me "WebSocket connection to 'ws://localhost:7687/' failed".
I found some solution to work in firefox, chrome, IE but those are temporary solutions which work. but I don't think that just by passing proxy would be a permanent solution.
It is not working if connected to VPN(office network), otherwise working. What could be a reason for this error within an office network? How to resolve this issue.
Any idea or suggestions, Please
There can be several reasons for this issue and I probably need to know more about your setup before I can pin point the problem.
1 check:
Disconnect from the VPN, and open a command prompt (Windows+R then write cmd and press enter)
Use either telnet or putty ( https://www.putty.org/ ) and connect to 127.0.0.1 port 7687:
telnet 127.0.0.1 7687
See if you a response like this:
GET / HTTP/1.0
2 check:
Go to you proxy settings and see if you have a proxy enabled:
Firefox: Preferences/Options > Advanced > Network > Settings
IE: Tools > Options > Connections > Lan Settings
Suggest to turn off your proxy and do the check in check 1 again.
3 check:
Connect to your VPN and do the check 1 part once again
Check for error messages (that you probably would get) and then write in the command prompt:
route print
It should show a line like this:
127.0.0.0 255.0.0.0 On-link 127.0.0.1 xxx
127.0.0.1 255.255.255.255 On-link 127.0.0.1 xxx
127.255.255.255 255.255.255.255 On-link 127.0.0.1 xxx
This ensure that you still have your loop back up and running (probably is ok).
4 check:
Turn off your local firewall with VPN connected (if allowed) and try the check 1 again.
Some firewall rules change connections to "localhost" while connected to a VPN, since the new connection is "corporate" or "public".
If that worked, you need to create a rule in your firewall to allow connection to port 7687 for all addresses, this will fix your problem.
5 check:
Check your neo4j community server to listen to "127.0.0.1" and not "0.0.0.0"
Check your ports open by using netstat
netstat -a -o
It should state something like this
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:7687 machinename:0 LISTENING xxxx
or
TCP 127.0.0.1:7687 machinename:0 LISTENING xxxx
If the server is like the first line, it might be handled by a corporate firewall, but by using the 127.0.0.1 as address it should always be local.
Hopefully that will get you on the way :)
i had same problem, so Let me tell you what i came out with...
the company has a proxy server for all connections, so i change my request from IP to DNS by typing nslookup IP on command prompt terminal.
from: ws://180......:80/socket/test to: ws://mxjuppro22......:80/socket/test
then error gone and now is working like a charm!!!
hope it helps
Developing a plugin for WordPress locally I'm wanting to implement Akismet in form validation but I'm required an IP address with the submission and when I run:
function check_ip_address() {
if (isset($_SERVER['REMOTE_ADDR'])) :
$ip_address = $_SERVER['REMOTE_ADDR'];
else :
$ip_address = "undefined";
endif;
return $ip_address;
}
echo check_ip_address();
I get back a ::1. When I researched to resolve this I didn't find a solid answer from:
Ask Different tag MAMP
How do I rename MAMP web server?
When researching how to resolve ::1 I found Should a MAMP return ::1 as IP on localhost? that suggests a sudo of:
sudo vi /etc/apache2/httpd.conf
So I go to MAMP/conf/apache/httpd.conf and try to modify line 48 from Listen 8888 to Listen 127.0.0.1 and I get an error and Apache will not restart. How can I modify my MAMP IP so I can get a proper IP from $_SERVER['HTTP_USER_AGENT']?
It's ::1 because that's the IPv6 loopback address, equivalent of 127.0.0.1, and the remote address is yourself as MAMP is running locally, the remote browser is on the same machine.
REMOTE_ADDR represents the IP the request came from. In most scenarios this is the same as the IP the browsers machine has on the open-internet, but here MAMP is running Apache natively so it's 127.0.0.1 or ::1. If you were using a docker container or a Virtual machine, it would be a private IP on a range specified when configuring your containers/VMs.
So to retrieve the IP you're expecting, you'll need to use an external service, or, for the sake of debugging, pass Akismet a hardcoded IP, but I suspect it's asking for the IP of whomever is commenting.
so I'm trying to create a proxy server for my crawler to use, and I'm unsure about why I'm getting denied from even myself. When I go to any website in a browser, on the computer that I've installed Squid and everything on, it's giving me the following error message:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.whatismyipaddress.com/
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
Generated Sun, 08 Nov 2015 04:03:13 GMT by WIN-AIUOBK0JHPA (squid/2.7.STABLE8)
I've edited my LAN settings in Internet Options to allow for a proxy server at the correct IP address (IPv4 when I run ipconfig), gave it the correct port to open up to, and I've also opened up the port in my Windows Firewall.
Below are segments of my squid.conf file:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localhost src 192.168.1.0/255.255.255.255
http_access allow localhost
(skip through some commented out segments....)
http_access allow manager localhost
http_access allow localnet
As you can tell, I've stripped out a lot of unnecessary commented parts. Down lower, I have my...
http_port ####
...line.
I have no idea why I'm getting blocked out. I will be constantly refreshing, so if you need any more information or have any questions, please let me know. Thank you so much!!
your config should somewhat look like below
http_access allow localhost
http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
and remove the following line from your config
acl localhost src 192.168.1.0/255.255.255.255
localhost need not to be specified as ACL its just for accessing localhost pages. You have mixed up localhost with localnet, modify that line like below
acl localnet src 192.168.1.0/255.255.255.255
your lan clients local ip that hitting the proxy should belong to the above mentioned src range or modify the range as you require. all other requests from other ips will be denied
I just got rid of all the default config and used the following:
# cat /etc/squid/squid.conf
http_port 3128
acl vpc_no_internet src 10.130.0.0/255.255.0.0
http_access allow vpc_no_internet
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
Note: The above config allows access for the specified subnet only.
I had a similar situation and the solution was to use the following commands:
unset https_proxy
unset http_proxy
unset ftp_proxy
I placed these into a script to run every time I logged in to my server.
This may not be the correct solution for you but it worked in my situation as I wasn't using the proxy and was connecting via vpn.
The only reason I am posting this is I haven't seen this answer posted anywhere else. As usual, YMMV.
I'm trying to restrict direct access to elasticsearch on port 9200, but allow Nginx to proxy pass to it.
This is my config at the moment:
server {
listen 80;
return 301;
}
server {
listen *:5001;
location / {
auth_basic "Restricted";
auth_basic_user_file /var/data/nginx-elastic/.htpasswd;
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
}
This almost works as I want it to. I can access my server on port 5001 to hit elasticsearch and must enter credentials as expected.
However, I'm still able to hit :9200 and avoid the HTTP authentication, which defeats the point. How can I prevent access to this port, without restricting nginx? I've tried this:
server {
listen *:9200;
return 404;
}
But I get:
nginx: [emerg] bind() to 0.0.0.0:9200 failed (98: Address already in use)
as it conflicts with elasticsearch.
There must be a way to do this! But I can't think of it.
EDIT:
I've edited based on a comment and summarised the question:
I want to lock down < serverip >:9200, and basically only allow access through port 5001 (which is behind HTTP Auth). 5001 should proxy to 127.0.0.1:9200 so that elasticsearch is accessible only through 5001. All other access should 404 (or 301, etc).
add this in your ES config to ensure it only binds to localhost
network.host: 127.0.0.1
http.host: 127.0.0.1
then ES is only accessible from localhost and not the world.
make sure this is really the case with the tools of your OS. e.g. on unix:
$ netstat -an | grep -i 9200
tcp4 0 0 127.0.0.1.9200 *.* LISTEN
in any case I would lock down the machine using the OS firewall to really only allow the ports you want and not only rely on proper binding. why is this important? because ES also runs its cluster communication on another port (9300) and evil doers might just connect there.