Apache - allow proxy, block direct port call

Question

I have a VPS that acts as a proxy for ssh-tunneled webservers. Right now you can call: http://myserverdomain.com:1234 and you are connecting into server1 http://myserverdomain.com:2345 and you are connecting into server2

I added apache config with lines:

ProxyPass /server1 http://localhost:1234/
ProxyPassReverse /server1 http://localhost:1234/

And I can access that server by calling http://myserverdomain.com/server1 (I have to change relative URLs tho, but that's another story)

The problem is I'd like to block direct call by port number, so nobody can discover all the tunneled webservers that are currently connected just by scanning http://myserverdomain.com for open ports.

I tried setting iptables with iptables -A INPUT -p tcp --destination-port 1234 -j DROP but it blocked my apache proxy as well (if I understood correctly, that's because iptables work on lower level than apache server - please correct me if I'm wrong).

If so, how can I achieve my goal of blocking port from calling it directly, but not the apache proxy redirect?

Apache everywhere :) But have in mind that they are not accessible directly, that's why I introduced ssh tunneling. — Mark, Oct 04 '16 at 10:18
Could this help? https://httpd.apache.org/docs/2.4/howto/access.html — Orphans, Oct 04 '16 at 10:23
http://stackoverflow.com/questions/19711716/apache-restrict-access-to-specific-source-ip-inside-virtual-host — Orphans, Oct 04 '16 at 10:26
Always match the trailing slashes to the two arguments to `ProxyPass` and `ProxyPassReverse` — Unbeliever, Oct 04 '16 at 18:01

Fredi · Answer 1 · 2016-10-04T11:27:04.650

0

If you have both the tunnels and Apache in the same machine, just use 127.0.0.1:1234 and 127.0.0.1:2345 for the tunnels.

Otherwise, with iptables in the machine where you have the tunnels:

iptables -I INPUT -p tcp --dport 1234 -J DROP
iptables -I INPUT -p tcp -s 127.0.0.1 -J ACCEPT
iptables -I INPUT -p tcp -s $APACHE_IP -J ACCEPT

should work

edited Oct 04 '16 at 11:27

answered Oct 04 '16 at 10:27

Fredi

2,257
10
13

server1 and server2 are on different machines located somewhere else, behind (possibly) many routers and firewalls. That's why I'm using tunneling to get access to them. What do you mean by $APACHE_IP? Whose address is this? – Mark Oct 04 '16 at 10:39
If you're tunneling from your apache machine ssh'ing to server1 / server2, then you can make the tunnel listen only at 127.0.0.1, which is the default. – Fredi Oct 04 '16 at 11:25
$APACHE_IP is the IP of the machine that serves your domain, myserverdomain.com – Fredi Oct 04 '16 at 11:25
Can I just use the domain, or do I need actual IP address? – Mark Oct 04 '16 at 12:25
IMHO better you use the IP address, but it's just my opinion. Actually can you describe better your topology? Number of machines, your tunnel config? – Fredi Oct 04 '16 at 12:46
I asked about it on security stackexchange network first, have a look: http://security.stackexchange.com/questions/137393/webserver-port-tunneling-security-security-options – Mark Oct 04 '16 at 13:15
Ok, now i have a better picture, suggest you add the description on your question too. As i see it, i think the best option is to configure your tunnels to listen only on 127.0.0.1:SOMEPORT of your apache server on myserverdomain.com. Then reverseproxy like: ProxyPass /client1 http://127.0.0.1:CLIENT1_TUNNEL_PORT, hope you get the idea – Fredi Oct 04 '16 at 13:49

Apache - allow proxy, block direct port call

1 Answers1