acloudtree
RSS

Tag hosts

How to: Deny Hosts Using Nginx

0 comments By jared.folkins Filed in nginx Tagged with , , , , , September 9th, 2011 @

I was noticing my nginx log file fill up with requests for a site who had misconfigured their DNS. Normally I wouldn’t worry about it, but it became quickly evident that the domain was used for an image server for a parent site. There were thousands of RPS that I really didn’t need.

All I did was add the following expression to my nginx.conf file.

Server {
 
   ...snip...
 
     ## Deny illegal Host headers
      if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
      }
 
  ...snip...
 
}

Now if you look at the code, you may be thinking “But Jared, what is a 444 error? That is totally not valid bro.” And indeed, you are correct. But here is what the nginx documentation has to say about it.

“Furthermore, nonstandard code 444 closes the connection without sending any headers.”

So basically, my expression above, in plain english, is saying.

“If you are not making a request using the valid hostname of my server, then I’m just going to close the connection and return you nothing. nada. zip.”

For the record, I got a lot of value out of this article over @ calomel.org, but the site seems to have issues so I copy/pasted their nginx.conf file here for historical purposes.

## Compression
  gzip              on;
  gzip_static       on;
  gzip_buffers      16 8k;
  gzip_comp_level   9;
  gzip_http_version 1.0;
  gzip_min_length   0;
  gzip_types        text/plain text/html text/css image/x-icon image/bmp;
  gzip_vary         on;
 
 ## Log Format
  log_format  main  '$remote_addr $host $remote_user [$time_local] "$request"
                     $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
 
 ## Deny access to any host other than (www.)mydomain.com
    server {
         server_name  _;  #default
         return 444;
     }
 
 ## Server (www.)mydomain.com
  server {
      add_header  Cache-Control public;
      access_log  /var/log/nginx/access.log main buffer=32k;
      error_log   /var/log/nginx/error.log info;
      expires     31d;
      limit_conn  gulag 5;
      listen      127.0.0.1:8080 rcvbuf=64k backlog=128;
      root        /htdocs;
      server_name mydomain.com www.mydomain;
 
     ## Only allow GET and HEAD request methods
      if ($request_method !~ ^(GET|HEAD)$ ) {
         return 444;
      }
 
     ## Deny illegal Host headers
      if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
      }
 
     ## Deny certain User-Agents (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     if ($http_user_agent ~* (Baiduspider|Jullo) ) {
        return 444;
     }
 
     ## Deny certain Referers (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {
        return 444;
     }
 
     ## Redirect from www to non-www
      if ($host = 'www.mydomain.com' ) {
        rewrite  ^/(.*)$  http://mydomain.com/$1  permanent;
      }
 
     ## Stop Image and Document Hijacking
      location ~* (\.jpg|\.png|\.css)$ {
        if ($http_referer !~ ^(http://mydomain.com) ) {
          return 444;
        }
      }
 
     ## Restricted Access directory
      location ^~ /secure/ {
            allow 127.0.0.1/32;
            allow 10.10.10.0/24;
            deny all;
            auth_basic "RESTRICTED ACCESS";
            auth_basic_user_file /var/www/htdocs/secure/access_list;
        }
 
     ## Only allow these full URI paths relative to document root. If you only want
     ## to reference the filename use $request_filename instead of $request_uri
      location / {
        if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) {
          break;
        }
        return 444;
      }
 
     ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
      location = /favicon.ico {
       #empty_gif;
        return 204;
      }
 
      ## System Maintenance (Service Unavailable)
      if (-f $document_root/system_maintenance.html ) {
        error_page 503 /system_maintenance.html;
        return 503;
      }
 
     ## All other errors get the generic error page
      error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
                 500 501 502 503 504 505 506 507 /error_page.html;
      location  /error_page.html {
          internal;
      }
  }
}
#
#######################################################
###  Calomel.org  /etc/nginx.conf  END
#######################################################

(Nerd) How to: Setup Virtual Hosts on Ubuntu 9.10 using Apache2 + MySQL5.X + PHP5

7 comments By jared.folkins Filed in cakephp, Howto, Nerd, Networking, PHP, Tutorial, VIM Tagged with , , , , , , , , , January 11th, 2010 @

I have been working on a couple projects that are hosted on gitHub. As the scale and scope of the projects grow, I ended up needing to setup multiple virtual hosts on my development machine. It wasn’t hard, but the information online that I found was fairly dated, so I created this tutorial.

This entire tutorial is done after entering the ‘sudo -i’ command which allows us to act as the SUPER-USER for the entirety of our terminal session. You’ve been warned.

sudo -i

NOTICE!!! I am aware that we could use the ‘a2ensite’ and related commands. But for the sake of understanding the entire process, I will not be using it.

1) Install the required modules from the command line

apt-get install apache2 mysql-server mysql-client php5 php5-cli php5-mysql

2) Change the directory to /etc/apache2/sites-available

cd /etc/apache2/sites-available

3) If you run the ‘ls’ command while in the sites-available directory you should see the following

ls

Output

default  default-ssl

4) Copy the ‘default’ config to a site specific config. For this tutorial I am using dev.acloudtree.com.

cp default dev.acloudtree.com.conf

5) Make the application directory

mkdir /var/dev.acloudtree.com

6) Open the file with an editor of your choosing. I prefer VIM.

vi dev.acloudtree.com.conf

The output below is the entire file but I will discuss certain parts that we will need to edit.

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
 
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
 
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
 
        ErrorLog /var/log/apache2/error.log
 
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
 
        CustomLog /var/log/apache2/access.log combined
 
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
 
</VirtualHost>

7) Add the name of the server. This will be the name that you type in the URL field of your web browser (IE: Firefox)

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
	ServerName dev.acloudtree.com
...

8 ) Point the Virtual host to the correct directory

...
        DocumentRoot /var/dev.acloudtree.com
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
...

9) Also make the change here.

...
        <Directory /var/dev.acloudtree.com/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
...

10) So this is what your dev.acloudtree.com.conf file should look like when you are done. Write/Quite the file and we will move on.

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
	ServerName dev.acloudtree.com
 
        DocumentRoot /var/dev.acloudtree.com
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/dev.acloudtree.com/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
 
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
 
        ErrorLog /var/log/apache2/error.log
 
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
 
        CustomLog /var/log/apache2/access.log combined
 
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
 
</VirtualHost>

10a) IMPORTANT! Make a symbolic link in the sites-enabled directory

ln -s /etc/apache2/sites-available/dev.acloudtree.com.conf /etc/apache2/sites-enabled/000-dev.acloudtree.com.conf

11) We need to edit our /etc/hosts file

vi /etc/hosts

Output

127.0.0.1       localhost 
127.0.1.1       servername
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

12) Right beneath the ‘localhost’ definition, add the following

127.0.0.1      dev.acloudtree.com

13) The complete file looks like this.

127.0.0.1       localhost
127.0.0.1       dev.acloudtree.com
127.0.1.1       servername
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

14) Create an index.php file in /var/dev.acloudtree.com for testing purposes.

vi /var/dev.acloudtree.com/index.php

Contents of .php file.

<?php
 
        echo 'Jared Folkins\' tutorial on acloudtree.com really works!';
        phpinfo();
 
?>

15) Reboot the apache2 process.

/etc/init.d/apache2 restart

16) Now open up your web browser and enter dev.acloudtree.com into the URL bar and it should work!

UPDATE: I forgot to mention that in this environment, I like to configure log files for each virtual host. This is our current dev.acloudtree.com file.

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
	ServerName dev.acloudtree.com
 
        DocumentRoot /var/dev.acloudtree.com
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/dev.acloudtree.com/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
 
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
 
        ErrorLog /var/log/apache2/error.log
 
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
 
        CustomLog /var/log/apache2/access.log combined
 
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
 
</VirtualHost>

Just change the ErrorLog and CustomLog names to match the virtual host.

...
        ErrorLog /var/log/apache2/dev.acloudtree.com_error.log
 
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
 
        CustomLog /var/log/apache2/dev.acloudtree.com_access.log combined
...
</VirtualHost>

Copyright © Jared Folkins
Programming, Computers, Writing, Economics, and Life

Powered by WordPress