Mobile app version of vmapp.org
Login or Join
Samaraweera270

: Disable Direct IP Access on VestaCP NGINX + Apache2 In the current version of VestaCP once you install it and access your server's IP it will return the latest website you've added in VestaCP.

@Samaraweera270

Posted in: #Nginx

In the current version of VestaCP once you install it and access your server's IP it will return the latest website you've added in VestaCP.

This is bad on so many levels and I consider it a vulnerability.
An example is you are hosting a website and hiding it using a service like Cloudflare, an attacker could find your server's IP using a service like Shodan.io and DDoS you even though you are using Cloudflare.
Another example is you are hosting an anonymous TOR website but people can find the IP of your server using Shodan.io thus destroying the anonymous part.

I would like to make it so it returns a 444 response when you directly access the server via its IP.

Currently, this is how the NGINX config works using VestaCP:

/etc/nginx/nginx.conf:

# Server globals
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;


# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}


http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 256m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;


# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;


# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;


# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
gzip_proxied any;
gzip_disable "MSIE [1-6].";


# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;


# Cloudflare www.cloudflare.com/ips set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
#set_real_ip_from 2400:cb00::/32;
#set_real_ip_from 2606:4700::/32;
#set_real_ip_from 2803:f800::/32;
#set_real_ip_from 2405:b500::/32;
#set_real_ip_from 2405:8100::/32;
#set_real_ip_from 2c0f:f248::/32;
#set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;


# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;


# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;


# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}


# File cache settings
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;


# Wildcard include
include /etc/nginx/conf.d/*.conf;
}


As you can see at the end of the file it includes every file in /etc/nginx/conf.d/ that ends with .conf

There are three notable files in the /etc/nginx/conf.d/ directory: 92.222.36.xxx.conf, status.conf and vesta.conf

92.222.36.xxx.conf: (By default this is the public IP of the server and I've removed the last three numbers to hide my server's IP)

server {
listen 92.222.36.xxx:80 default;
server_name _;
#access_log /var/log/nginx/92.222.36.xxx.log main;
location / {
proxy_pass 92.222.36.xxx:8080; }
}


As far as I understand this is used as an default and it forwards all the HTTP connections to Apache2 for which there isn't a define server_name.

status.conf:

server {
listen 127.0.0.1:8084 default;
server_name _;
server_name_in_redirect off;
location / {
stub_status on;
access_log off;
}
}


Used internally for checking the status of NGINX.

include /home/admin/conf/web/exampledomain.net.nginx.conf;
include /home/admin/conf/web/exampledomain.net.nginx.ssl.conf;


For each new site you add it creates these files.

This is how those files look like:

exampledomain.net.nginx.conf:

server {
listen 92.222.36.xxx:80;
server_name exampledomain.net exampledomain.net; error_log /var/log/httpd/domains/exampledomain.net.error.log error;

location / {
proxy_pass 92.222.36.xxx:8080; location ~* ^.+.(jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|odt|ods|odp|odf|tar|wav|bmp|rtf|js|mp3|avi|mpeg|flv|html|htm)$ {
root /home/admin/web/exampledomain.net/public_html;
access_log /var/log/httpd/domains/exampledomain.net.log combined;
access_log /var/log/httpd/domains/exampledomain.net.bytes bytes;
expires max;
try_files $uri @fallback ;
}
}

location /error/ {
alias /home/admin/web/exampledomain.net/document_errors/;
}

location @fallback {
proxy_pass 92.222.36.xxx:8080; }

location ~ /.ht {return 404;}
location ~ /.svn/ {return 404;}
location ~ /.git/ {return 404;}
location ~ /.hg/ {return 404;}
location ~ /.bzr/ {return 404;}

include /home/admin/conf/web/exampledomain.net.conf*;
}

server {
listen 92.222.36.xxx:443;
server_name exampledomain.net exampledomain.net; ssl on;
ssl_certificate /home/admin/conf/web/ssl.exampledomain.net.pem;
ssl_certificate_key /home/admin/conf/web/ssl.exampledomain.net.key;
error_log /var/log/httpd/domains/exampledomain.net.error.log error;

location / {
proxy_pass 92.222.36.xxx:8443; location ~* ^.+.(jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|odt|ods|odp|odf|tar|wav|bmp|rtf|js|mp3|avi|mpeg|flv|html|htm)$ {
root /home/admin/web/exampledomain.net/public_html;
access_log /var/log/httpd/domains/exampledomain.net.log combined;
access_log /var/log/httpd/domains/exampledomain.net.bytes bytes;
expires max;
try_files $uri @fallback ;
}
}

location /error/ {
alias /home/admin/web/exampledomain.net/document_errors/;
}

location @fallback {
proxy_pass 92.222.36.xxx:8443; }

location ~ /.ht {return 404;}
location ~ /.svn/ {return 404;}
location ~ /.git/ {return 404;}
location ~ /.hg/ {return 404;}
location ~ /.bzr/ {return 404;}

include /home/admin/conf/web/snginx.exampledomain.net.conf*;
}


Now I have tried editing the 92.222.36.xxx.conf to this:

server {
listen 92.222.36.xxx:80 default;
server_name _;
#access_log /var/log/nginx/92.222.36.xxx.log main;
return 444;
}


And it did seem to work, I could access my website using the domain name and accessing it via the IP would result in a ERR_EMPTY_RESPONSE

But while accessing 92.222.36.xxx/ it would still return the HTTPS version of my domain name, this is where my troubles started.

I tried doing this to 92.222.36.xxx.conf

server {
listen 92.222.36.xxx:80 default;
listen 92.222.36.xxx:443 default;
server_name _;
#access_log /var/log/nginx/92.222.36.xxx.log main;
return 444;
}


While accessing my service using the IP using HTTPS it returned a ERR_SSL_PROTOCOL_ERROR and while accessing using the domain name using HTTPS it also returns ERR_SSL_PROTOCOL_ERROR

I've been trying to fix this for a few hours now but I couldn't.

I would be glad to receive some help in fixing this.

Thank you.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Samaraweera270

1 Comments

Sorted by latest first Latest Oldest Best

 

@Samaraweera270

I have found the solution and it works perfectly.

This is how the working 92.222.36.xxx.conf looks like:

server {
listen 92.222.36.xxx:80 default;
server_name _;
return 444;
}

server {
listen 92.222.36.xxx:443 default;
server_name _;
ssl on;
ssl_certificate /home/admin/conf/web/example.net.pem;
ssl_certificate_key /home/admin/conf/web/example.net.key;
return 444;
}


The certicate and certificate key are dummies, make sure they don't leak domain names of other websites hosted on the server.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme