Prevent users to access to website using port 8080 (apache) when using Varnish (on port 80)

Question

My configuration is very simple :

To avoid duplicate content, I want to prevent user to go on my website by hitting directly apache (which is running on port 8080).

I have setup a Varnish server listening on port 80, so I want to use only this to avoid bot indexing the same website on different port which may cause duplicate content issue.

I'm using a dedicated server with Debian 6.

My virtual host looks like :

<VirtualHost *:8080>
    ServerAdmin webmaster@localhost
    ServerName www.seek-team.com

    DocumentRoot ...
    DirectoryIndex app.php

    <Directory "/var/www/seek-team.com/current/web">
        Options -Indexes FollowSymLinks SymLinksifOwnerMatch
        AllowOverride All
        Allow from All
    </Directory>
</VirtualHost>

How to prevent user to directly access to the website using port 8080 ? (but I still need varnish to hit apache correctly).

Thanks.

score 2 · Accepted Answer · answered Jan 11 '13 at 15:49

2

You could bind apache daemon to loopback interface and make Varnish to connect to localhost:80. Thus, varnish would be accessible to the world while apache would be accessible only locally.

Varnish config:

backend www {
.host = “localhost″;
.port = “80″;
}

Apache config:

Listen 127.0.0.1:8080
...    
<VirtualHost 127.0.0.1:8080>
...

answered Jan 11 '13 at 15:49

gevial

1,324
9
13

Do you have an example please ? It looks obscure to me as i'm not a sys admin – Tristan Jan 11 '13 at 15:50
I've just edited the answer and included the example. – gevial Jan 11 '13 at 15:51
Thx i'm going to test it ASAP. – Tristan Jan 11 '13 at 16:05
@Tristan Did this actually work? – cerd Mar 11 '15 at 09:49

score 1 · Answer 2 · answered Jan 11 '13 at 17:23

Quickest option would be to simply bind the Apache instance to Localhost, so it would only be accessible from that machine.

<VirtualHost 127.0.0.1:8080>

Alternatively you could tweak the permissions of your Apache Virtual host directory block to:

Deny from all
Allow from 127.0.0.1  #IP.OF.MY.PC

This is slightly more flexible, as you can add your own IP, or net range to the permitted IP list, to allow a select few direct access for diagnostic purposes.

Both option above assume the Varnish instance is running on the same physical server.

score 1 · Answer 3 · answered Jan 11 '13 at 19:17

1

Simply block the 8080 port with iptables for the outside world like this:

 # iptables -I INPUT -p tcp --dport 80 -j DROP

 # iptables -I INPUT -s localhost -j ACCEPT

answered Jan 11 '13 at 19:17

Napster_X

3,373
18
20

It doesn't work, the traffic is all shut down. Varnish can't access to the port 80 (he his on the same server ofc) – Tristan Jan 22 '13 at 18:45
What's the value in the .host section you have given in Varnish. Is it the network interface IP or localhost. It should be localhost, and it will work – Napster_X Jan 22 '13 at 19:02
Also, the sequence in which you executed the iptables rules also matter, it should be same as I pasted above. – Napster_X Jan 22 '13 at 19:02
I know this is what i did, but after that, my website didn't respond. I also tryed to put iptables -I INPUT -s 127.0.0.1 -j ACCEPT but it didn't work. – Tristan Jan 22 '13 at 19:28

Prevent users to access to website using port 8080 (apache) when using Varnish (on port 80)

3 Answers3