Nginx and iptables overlapping - nginx

I'm a little confused with nginx and iptables, I want to redirect all traffic to port 443 or port 8443 on my server, I also have mongodb running on port 27017, by blocking it, will I be able to access the database from my node.js app (which is running on port 8443)? should I use nginx to redirect or iptables? it seems that sometimes they overlap each other. So, which one is better to handle this?

Related

Magento2 website with nginx(with SSL termination) and varnish cache

I have hosted magento2 website with Nginx, SSL termination, and varnish cache. Varnish cache is running on port 8080 and the Magento2 website is hosted on Nginx port 8081. Http and Https traffic is accepted by the same Nginx and forwarded to the varnish cache(SSL terminated).
NGINX Varnish Magento2 all are running in the same server
I have two questions,
If I tried to access the magento2 website which is running on port 8081, directly from the internet, it bypasses the SSL termination and directly connects to the website. How can I restrict that?
When configuring magento2 baseurl, If I want to host it on a different port rather than the default 80 port, Do I need to give the port number at the baseurl configuring step? eg:- php bin/magento setup:install --base-url=http://www.example.com:8081
Assuming you want to block the port from the public internet, you have multiple options. Assuming you have SSH access, you can block the port with iptables:
/sbin/iptables -A INPUT -p tcp --destination-port 8081 -j DROP
/sbin/service iptables save
Assuming you're using a non-standard HTTP port (not 80 or 443), yes, you would need to specify that in the configuration.
nginx shouldn't be listening on 8081 to the outside world to begin with. You probably need something like
server_name localhost;
in your nginx configuration

How to access the application from other device in local network

In the project I am working on, there is an application that works on many docker containers. To access one of the containers I need to add the following path in the /etc/hosts file
127.0.0.1 my.domain.com
Then App of course is available on http://my.domain.com in my computer.
Unfortunately, This is large complicated application and I cannot change the configuration to add a port (then i would use 192.168.X.X:PORT from other device)? so How I would to be able to access the application from other device in local network (WIFI or other way)? I try using localtunnel or ngrok but this works too slow and aren't good in this case.
Maybe someone knows another way?
If your server is running on ip 192.168.X.X on you local network, adding the line:
192.168.X.X my.domain.com
to the second device on your network should do the job
Another solution is to run a proxy server on the same instance as your server and send all the requests to the proxy server. The proxy server will listen on another port but it will forward all the requests to my.domain.com with the original port, it will work since it uses the same /etc/hosts.
try using nginx-webserver proxy it's free version it offers the feature what you want.
add a reverse proxy and host your app with my.domain.com
OR
Host your app on port :80 ie. the default port

CouchDB port 80

Is it possible to run couchdb on port 80? I'm looking to host a couchapp from it and don't want my users to have to type a port number in the url.
When I change the port to 80 in the couchdb config it becomes unavailable, and I have no access to it on 80 or any other port. I have to change the port back in the local.ini file.
Is this not a recommended setup? Would I be better hosting behind a reverse proxy? If so, any tips on how to get it working behind an IIS reverse proxy? I tried that too using ARR and URL Rewrite, with no success.
EDIT:
First, this chapter of the CouchDB definitive guide seems to suggest it is ok to server web apps directly from couch. Curious what the community thinks:
http://guide.couchdb.org/editions/1/en/standalone.html
Second, I installed CouchDB on a second machine that does NOT have IIS installed on it and it ran on port 80 just fine, so I suspect that even though I've turned off all websites in IIS it is still hogging port 80. Any way to make IIS give up port 80?
Ok I figured it out. By default IIS listens for port 80 on ALL IPs. So it also grabs 127.0.0.1 and listens on port 80 there as well, EVEN IF YOU TURN OF ALL WEBSITES listening on 80.
To remedy this you need to add an IP address to the IP listen list. By default this list is empty and IIS decides to just listen to all IPs. But if you add an IP or IPs to this list IIS will only listen to those IPs.
First here's how you can see what IPs are in the listen list:
netsh http show iplisten
If the list is blank IIS is listening on all IPs. To add an IP to the list:
netsh http add iplisten XXX.XXX.X.XXX (where the X's are your IP)
Now IIS and CouchDB can exist together on port 80 in happiness, as long as they both have their own IP's to listen to.

port forward http port (80) on virgin super hub

I am currently working on a project to make my apache server live, which is new me so this is the first time I am doing anything like this. basically I have gone in to the router and requested port forwarding on port 80 for my local IP address, but to no effect. when I test it with a web tool which tells you if a port is open or not it says it's closed. More confusingly when I run a netstsat -a command it shows http as listening. I'm not sure if its a firewall issue or I'm going about it all wrong. any Ideas would be much appreciated. Thanks
You need to be testing from outside your local network. If you run netstat on your server, of course it is going to say "listening". Is your web testing tool being run from outside your firewall? You should also be able to turn off wifi on your phone and test hitting your broadband IP address:80. Are you forwarding from port 80 on your router to port 80 on your server? Is it possible that your provider is blocking port 80 for residential accounts?
First google for an online port scanner and ask it to scan port 80.
Second if you're using Ubuntu ufw (firewall) is probably running default deny rules so do this: sudo ufw allow 80
To check it's working just plug your WAN IP into your browser URL bar, it should connect to your test page in /var/www/html/index.html

Can network admin change the default port for http

I gave an answer to following thread. but in the comment a user suggested that network admin can change the default port of http from 80 to something else.
As for as I know if I open a page eg. http://www.example.com without port that means it is running on port 80.
I just want to clarify that is it possible for network admin to change default port?
When using a browser, http://www.example.com will always try and connect to the server's TCP port 80, like it's port 443 for HTTPS connections. These port numbers (defined here) are hard coded in any browser.
Yet a web server can be configured to listen to any other port, which rarely makes sense though. If it does, the browser will be unable to connect (unless the port no. is explicitly given as in http://myserver.com:81).

Resources