I am running simple rails application on ubuntu and I am using nginx as my web server. I would like to block all ip address except our office ip address(static ip).
Now I can block ip using nginx
location / {
allow office_ip_address;
deny all;
}
or I can block ip using ufw uncomplicated firewall.
sudo ufw allow from office_ip_address
(will this block all other ip? or do I need some command to block all other ips?)
I would like to know which approach is better? I think it's better to block ip on firewall level so request don't come to our server at all. I am new to setting up servers so please advice me which way is better?
Related
I set up a wireguard instance in a docker container and use nginx proxy manager to set up all reverse proxy settings. Now I want the website to be only accessible when I am connected to the VPN.
I tried to add localhost as the forward address and set the only allow to the local server ip, but it doesn't work and just displays a cant connect to server message in my browser.
Add this to a server block (or a location or http block) in your nginx configuration:
allow IP_ADDRESS_OR_NETWORK; # allow only connections from Wireguard VPN network
deny all; # block the rest of the world
The allowed network has to match your specific Wireguard VPN network. All peer IP addresses which should have access must be part of the network range. Depending on your NAT settings, you should verify the actual IP address or network by checking the access log: tail -f /var/log/nginx/access.log
Be sure to reload your nginx config to apply changes: service nginx reload
See also http://nginx.org/en/docs/http/ngx_http_access_module.html for usage hints on the HTTP access module.
I'm running a public proxy server and would like to block clients from accessing local devices on the server.
Local devices are on 10.0.0.0/8.
The proxy server runs on 127.0.0.1:31336. Access to the proxy server is made by reverse proxy on nginx which is listening on a public IP address.
Would an iptables rule like "reject 127.0.0.1:31336 from accessing 10.0.0.0/8" work? If so can I get an example iptables command to do so?
If not, would I have to work with network namespaces to achieve what I am seeking for?
why would you even use iptables for blocking client of a nginx, anyway follow this tutorial it will show you how you can allow or deny an ip or range ip : https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/
I leave my doubt here so that eventually people with more knowledge about Nginx can help me.
I have an application that uses port 2083, working as follows:
User -> Server where Nginx Proxy is hosted (Machine 1) -> Real IP of the application (Machine 2).
My goal is that the user when connecting (after Nginx redirection) on machine 2 (where the application is hosted) cannot be able to view the real machine's IP (in order to prevent any DDoS attacks).
It turns out that after connecting to the application and opening the command prompt(cmd), typing netstat -n displays the real IP address of the machine (which I want to hide).
Would it be possible to do this (hide real IP) using Nginx itself? All redirects are working perfectly, I just want to hide the IP address of the machine where the application is hosted.
I took a read about the IPTables function "MASQUERADING", tried both machines and it didn't work. The netstat IP address is still displayed. I have also tested the parameter "proxy_bind $ remote_addr transparent;" from Nginx, without success.
my code in nginx.conf:
server {
listen 2083;
proxy_pass IP_MYSERVER: 2083;
}
}
I have trying to connect my phone with the wampserver I created and is looking forward for an OTP based application. I aim to have a different network for both the PC and mobile and look forward to use public IP for accessing. To enable port forwarding I have changed the port in httpd.conf to
Listen 8080
and in my router settings I have added separate entries: one for TCP and one for UDP packets.
Lastly, I have also enabled
# onlineoffline tag - don't remove
Require all granted
in the httpd.conf file as well. Technically, I should be able to access my wampserver by
http://{public IP address}:{8080}/
I have also given access to the port 8080 in my firewall, but when I do check online the status of port in public IP, it shows 8080 port is closed on the {public IP address}. Unfortunately, I am not able to access the following server. I am bit confused at the moment and I guess I am stuck with something really silly. I will be deeply obliged if anyone could help me with the issue.
If your port is still closed / blocked you probably have another router / firewal / ... blocking it. Does your internt providor maybe have a router of their own in front of your router?
I need to connect to a FTP server with restricted IP blocking firewall. The problem is my IP is in dynamic. I only need the FTP to work, I'm using Filezilla. My ISP won't allow me to have a static IP that's the big problem. Is there any way i can make this work? Is proxy an alternative?