1

I'm using Jelastic with two environments, one for my frontend and one for my backend.

Each environment has a Nginx load balancer with an IPv4, then an application server. For the backend (api), the application server is Spring-boot and for the frontend, it is Node.js

However, I have added IPv4 on each of my application servers to have direct access with my deployment scripts.

The concern now is that if I go directly through these IPs and no longer through the respective load balancers, I can still access my application but the connection is not secure.

I tried to close the incoming ports 80/443 on the application servers, but it doesn't change anything, I still access with the IP.

Here is an image that quickly summarizes the problem (the ip used are not real): enter image description here

Thank you for your help

EDIT :

enter image description here

Jedupont
  • 401
  • 1
  • 4
  • 12

2 Answers2

0

You can restrict access to your spring-boot by configuring the firewall to allow only access from your load balancer. You can follow that documentation.

Jean-Luc .D
  • 1
0

This behaviour is caused by the nat table PREROUTING chain that pushes traffic from port 80 to 8080 on your Spring Boot node.

This is configured by default by Jelastic for you (so you don't need to do anything to get your application (on port 8080) accessible to the internet, but it means there's a "hidden" part of the firewall rules that actually look like this on the server level:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

So by the time that your traffic reaches the filter table INPUT chain (which is what you see within the Jelastic dashboard UI, and is processed after nat PREROUTING), your traffic is actually on port 8080 - even if your browser request was on port 80 (or even 443, with SSL offload by the LB node).

To get your desired behaviour, you need to set appropriate rule conditions for port 8080.

You need to vary the action based on Source:

  • allow requests to 8080 from your load balancer node
  • deny from everywhere else

(use the priority to make sure the load balancer ALLOW is above the global DENY)!

Example:

Jelastic dashboard firewall rules screen, showing a Spring Boot node with priority 900 ALLOW for all traffic from Load Balancer source, and priority 1030 Allow App Port (HTTP) port 8080 traffic All sources DENY

Damien - Layershift
  • 1,508
  • 8
  • 15
  • Thank you very much! It seems to work for Spring boot, but for Node.JS the problem persists. I updated the main post with the configured rules if you can see please. – Jedupont Apr 08 '22 at 08:18
  • The situation with node.js should be exactly the same in terms of the nat rule concept. https://docs.jelastic.com/container-ports/#ports-auto-redirect describes (this page is linked from the Jelastic node.js docs). Perhaps your node.js app is running on a different port? – Damien - Layershift Apr 08 '22 at 08:47
  • Actually node.js nodes are a bit different so it looks like the only way *might* be to configure the desired firewall rules by hand as described at https://docs.jelastic.com/custom-firewall/#restrict-access-via-ssh – Damien - Layershift Apr 08 '22 at 10:43
  • Thank you for your response. I tried to add `iptables -A INPUT -p tcp --destination-port 80 -j DROP` in this file but it does not restrict the access... after a restart. – Jedupont Apr 14 '22 at 10:05
  • @Jedupont please use `-I` to insert it at the top of the chain, and note that you need to use the port your node.js application actually listens on (not port 80). – Damien - Layershift Apr 14 '22 at 10:12
  • Like this `iptables -A INPUT -I -p tcp --destination-port 3000 -j DROP` ? It's not working – Jedupont Apr 14 '22 at 11:35
  • @Jedupont no, sorry. `-A` means append, and `-I` means insert. So you need `iptables -I INPUT -p -tcp --destination-port 3000 -j DROP` – Damien - Layershift Apr 14 '22 at 11:58
  • The problem is still the same, even with this rule activated and after reboot. Impossible to block access :/ – Jedupont Apr 25 '22 at 07:04
  • @Jedupont can you edit your question to include full details of what rules you're adding for this part, or else contact your hosting provider for their assistance in setting it up (it's what you pay them for!) – Damien - Layershift Apr 25 '22 at 07:07