在 NGINX 上通过 HTTP/HTTPS 拒绝所有非 443 或 80 端口的连接
[英]Deny all connections to ports that aren't 443 or 80 over HTTP/HTTPS on NGINX
问题描述
I'm running a server on Nginx and Ubuntu, the site has a domain.
我在 Nginx 和 Ubuntu 上运行服务器,该站点有一个域。 I have an issue where if someone navigates to the IP and an appended port ( https://<ip-addr>:<port> ) it will load up a service that should not be accessed directly like that, the ports can be figured out with nmap.我有一个问题,如果有人导航到 IP 和附加端口( https://<ip-addr>:<port> ),它将加载不应直接访问的服务,可以计算端口用 nmap 出来。
I'm trying to return a 444 to these types of connections.我正在尝试向这些类型的连接返回 444。 I've tried adding these under the 'server' block:我试过在“服务器”块下添加这些:
if ($host != "domain.tld") {
return 444;
}
and和
location / {
return 444;
}
now these work pretty well for denying connections to the IP and restricting it to the domain, but if you do the ip and the port it loads up just fine.现在,这些对于拒绝与 IP 的连接并将其限制在域中非常有效,但是如果您使用 ip 和端口,它会加载得很好。 if some of these services did not have some form of authentication then they are exposed to anyone and everyone.如果其中一些服务没有某种形式的身份验证,那么它们就会暴露给任何人和每个人。
I tried using iptables to block the port but that would also block the ` https://domain.tld/service , But that needs to work.我尝试使用 iptables 来阻止端口,但这也会阻止 ` https://domain.tld/service ,但这需要工作。
Service should be only accessible through this URL and not the IP and port.服务应该只能通过这个 URL 而不是 IP 和端口访问。
1 个解决方案
解决方案1
0 2020-02-17 14:50:14
Try this尝试这个
server { # Will redirect all http to https
listen 80 default_server;
server_name _; # will catch everything
return 301 https://domain.tld$request_uri;
}
server{ # Will redirect everything that is not "domain.tld" to http://domain.tld
listen 443 ssl http2;
server_name _; # will catch everything
ssl_...
return 301 http://domain.tld$request_uri;
}
server { # Do normal behavior
listen 443 default_server;
server_name *.domain.tld; # will catch everything
ssl_...
location / {
...
}
...
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.