In AWS I need help for deny url by public ip or public dns and to allow only access by domain (CNAME)

Question

I have aws ec2 with elastic ip and route53 with my domain and have nginx in server, this works fine but,

i have seen how other websites work, amazon.com udemy.com. If you access directly by public ip or public dns you throw an error. My question is how can I configure it to do the same.

example:
browser url by domain: amazon.com = ok
browser url by public ip: 52.222.137.64 = 400-403 error.
browser url by public dns: server-52-222-137-64.ams50.r.cloudfront.net = 400-403 error.

browser url by domain: example.com = ok
browser url by public ip: 124.34.32.245 = ok.
browser url by public dns: ec2-124.34.32.245.eu-west-3.compute.amazonaws.com = ok.

Thanks all for your help.

example is substitute for my domain, this is my config.

server {
    listen                  8089 ssl http2;
    listen                  [::]:8089 ssl http2;
    server_name             example.com;
    root                    /var/www/example.com/public;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
    #ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    ssl_dhparam             /etc/letsencrypt/ssl-dhparams.pem;

    # security
    include                 nginxconfig.io/security.conf;

    location / {
       proxy_set_header Accept-Encoding "";
        try_files $uri $uri/ /index.html;
    }

    # additional config
    include                 nginxconfig.io/general.conf;


}

server {
    listen      8080;
    listen      [::]:8080;
    server_name example.com;
    include     nginxconfig.io/letsencrypt.conf;

    location / {
       return 301 https://example.com$request_uri;
    }
}

I forgot to mention that I also use docker, I don't know if that will have something to do with it

Answer 1

Try add this

if ($host !~* ^(www.example.com)) {
            return 444;

}

This will give 444 as response to all the request without your domain name.

Answer 2

what is the server name that is configured in your nginx conf?

http://nginx.org/en/docs/http/server_names.html

If you put the actual name, you should be able to make it reject the request if the name isn't used

Answer 3

I came up with this solution before asking, but since I'm quite new, I don't know if it would be a good practice. Adding to my config:

server {
   listen       8089;
   listen       [::]:8089;
  server_name my_public_ip or my public_dns => x.x.x.x;    

   location / {
        return 403;
   }
error_page 403 /403.html;
    error_page   501 =500  /50x.html;
    error_page   500 502 503 504  /50x.html;

  location /403.html {
    root      /usr/share/nginx/html;
   # allow all;
  }

    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

and so I can handle it as I want.

Answer 4

Correct way to solve this problem in "AWS world" would be to use Application Load balancer with listener rules in front of your EC2 instance and place your actual server in Auto Scaling Group.

This provides a lot of other benefits:

• AWS SLA does not work if your workload is not able to load balance between at least 2 availability zone
• it is simple to add AWS generator TLS certificate (extra bonus: it will auto re-new)
• build in certain amount of DDoS protection
• auto scaling
• instance refresh
• failover

please note that in order for apex domain name to work, it would be best to migrate the actual domain to AWS Route53, or at least delegate controls to AWS.