Reputation: 621
how to disable direct access to a web site by ip address
I have a website on a VPS.
The issue I am having is that when I enter the IP of the server, it links to the website.
Even when entering mail.domain.com, it does the same thing.
How do I disable that, so a visitor would get a message or be directed to the domain?
I tried disabling the IP and mail a record on cloud flare but it didn't work.
My setup is:
VPS on Linux Debian
Nginx
no control panel just command line
Cloudflare
DNS setup with BIND
Upvotes: 62
Views: 90923
Answers (10)
Reputation: 441
Neither of above helped in my case - IP connection to http works as expected but https was redirecting to alphabetically first https virtual site. What was working witn nginx below 1.19.4 was to add null certificate to block:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
ssl_certificate /etc/ssl/null.crt;
ssl_certificate_key /etc/ssl/null.key;
server_name "";
return 444;
}
Certificte can be generated with empty CN so you need no worry about fill it.
openssl req -x509 -newkey rsa:2048 -days 10000 -nodes -subj '/CN=' -keyout null.key -out null.crt
Then http/https returns 444 (ERR_EMPTY_RESPONSE), in different configurations https returns ERR_HTTP2_PROTOCOL_ERROR with your null certificate which is also fine to show there is nothing there.
For nginx 1.19.4 it is simpler.
It introduced ssl_reject_handshake on | off (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake) you can replace certificates 'stuff' with:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
ssl_reject_handshake on;
server_name "";
return 444;
}
And now you get http 444 (ERR_EMPTY_RESPONSE) and for https ERR_SSL_UNRECOGNIZED_NAME_ALERT. No null certificates are needed.
Upvotes: 19
Reputation: 14789
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
return 444;
}
Don't bother supporting HTTP/2 or SSL connection for a sink. It does catch-all without those unnecesities. For the unsupported, it just refuses such connections.
See https://stackoverflow.com/a/68042877/4510033.
Upvotes: 2
Reputation: 415
if ($http_host != "example.com") {
return 301 https://example.com;
}
Upvotes: 1
Reputation:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name "";
return 444;
}
You need to specify default_server parameter so that all non available server requests goes to this server block which throws 444 error.
444 : CONNECTION CLOSED WITHOUT RESPONSE
ref: https://httpstatuses.com/444
Upvotes: 56
Reputation: 4502
Put this at top of your /etc/nginx/conf.d/SERVER_IP_ADDRESS.conf file and comment everything what is below it.
#disabling accesing server by ip address
server {
listen SERVER_IP_ADDRESS:80 default;
server_name _;
return 404;
}
Then restart your Nginx server (on Ubuntu it is done by service nginx restart this command)
Now when you will put your server's ip address to browser url field you will get 404 error.
Upvotes: 2
Reputation: 61
You can use redirect, nginx config:
server {
listen 80;`enter code here`
server_name IP_ADDRESS;
return 301 http://YOUR.DOMAIN;
}
Upvotes: 6
Reputation: 5404
you can return any error you find suitable. A list of errors can be found here List_of_HTTP_status_codes
server {
listen x.x.x.x:80;
server_name x.x.x.x;
return 404;
}
Upvotes: 4
Reputation: 562
You can use redirect, nginx config:
server {
listen 80;
server_name IP_ADDRESS;
return 301 http://YOUR.DOMAIN;
}
Upvotes: 43
Reputation: 323
You can just add a server directive before others.
server {
listen 80;
server_name _;
return 404;
}
Upvotes: 19
Reputation: 641
You may try to set the server IP address in:
/etc/nginx/conf.d/default.conf
So it looks like this:
server {
listen 80;
server_name localhost IP.OF.VPS.HERE;
Then you can specify the subdomain vhost, like:
server {
listen 80;
server_name subdomain.domain.com;
And the main domain, like:
server {
listen 80;
server_name www.domain.com domain.com;
Then restart Nginx:
/etc/init.d/nginx restart
Each vhost should have its own *.conf file (for better organization), like:
/etc/nginx/conf.d/subdomain.domain.com.conf
/etc/nginx/conf.d/domain.com.conf
/etc/nginx/conf.d/default.conf
Upvotes: 1
Related Questions
- How to configure nginx so that the web server only allow access via IP address and deny all access via domain name?
- How can i block all CloudFlare IPs in PHP
- How to prevent user access to IP address for a website hosted in GCP?
- Cloudflare - How to hide website's server IP address from the beginning itself?
- Nginx check if Cloudflare forward or direct IP and limit accordingly
- nginx - disable access via IP
- Allow nginx access only from IP address
- Cloudflare IP Access to the Website DDOS Protection?
- How to prevent exposing origin IP address on Cloudflare?
- Nginx location to restrict by IP returning 404