I am running an application on port 7000 which is part of a network. So it has to communicate over port 7000 with all other servers of the network (not LAN, dynamic IPs). It has also a web frontend you can access at http://my.ser.ver.ip:7000 but I want to block the access to the webfront end. How is this possible without block my application at all?
Asked
Active
Viewed 1,787 times
1
-
1In your question you say that your application needs to communicate over port 7000 and you also say that you want to block port 7000. You can't have it both ways. Can you please edit your question and clarify? Perhaps you're getting source port and destination port mixed up? – EEAA Apr 04 '16 at 01:03
-
If I'm reading this correctly, you want to block only traffic specifically using HTTP as an application-level protocol, and not all traffic to port 7000, just HTTP traffic. If that's the case, you've painted yourself into a kind of small corner, and you're getting into content-aware firewalls and DPI. I won't say it's impossible, but I will say it'd probably be a lot easier to simply run HTTP traffic on a different port. – Parthian Shot Apr 04 '16 at 13:36
3 Answers
1
If i understood your question correctly, you have multiple ways to block access to your application from outside the server.
- You can set your application to work only with a 127.0.0.1/8 IP address.
- You can block it via iptables.
My best practice is the first option.
Parthian Shot
- 1,165
- 4
- 16
- 32
O. Peer
- 45
- 3
0
You can block this via .htaacess file. In .htaccess fle you need to allow application only via your public IP address and deny all other IP address. Below i have shared the content which needs to be entered in .htaccess file.
Order deny,allow
allow from 1.2.3.4 #Your Public IP, only this IP is accessible to application.
deny from all
This will sort out the problem for you.
imvikasmunjal
- 753
- 7
- 14
-
-
Either way, though... From the docs: ["You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance."](https://httpd.apache.org/docs/trunk/howto/htaccess.html) – Parthian Shot Apr 04 '16 at 13:31
-
0
You need to block any access to port 7000, then allow access to port 7000 to only the servers in your network. That way you effectively block the Web UI from being accessed unless you're accessing it from a server inside your network.
HTTP is a protocol (P in HTTP) and runs on port 80. UFW can't block it based on it being a web page or not since it only manages iptables, and only knows it's a web page after a connection has been established.
Depending on which web server you use, you could possible use imvikasmunjal's suggestion. However "block all to access port 7000" and then giving specific access to specific IP's is the best way forward IMO
zerohero
- 101
- 1
-
Sorry, if I communicated it wrong. The network is not a LAN network. We are talking about servers around the globe and their IP are not always static and may change. What about using NGINX as a reverse proxy? I tried it by one DigitalOcean tutorial but I were not able to make it work. – John Doof Apr 19 '16 at 13:55
-
Well, in my opinion then, put the web front-end on port 80 and have it communicate with whatever it needs to on port 7000, then block access with a normal authentication request that a web server has built in – zerohero Apr 20 '16 at 07:19