Jump to content

Access only thru the domain name


Haruko Ishikawa
 Share

Recommended Posts

Haruko Ishikawa

Well so i have a question. Is there a way to only permit access thru the domain. So what i would like to do is to deny access directly to the server ip and instead only allow connections containing the domain name. Is there away to do this? Do you need a reverse proxy or so internally? I will be happy to hear your thought!! :)

Edited by Haruko Ishikawa
Link to comment
Share on other sites

Hi, there is no way to configure this in Emby Server but I imagine you could via reverse proxy settings.

@pir8radio may have some tips.

Link to comment
Share on other sites

Hi, Probably the easiest way to accomplish this would be to install your server behind Cloudflare.

Have you looked into their free service?

Link to comment
Share on other sites

Haruko Ishikawa

I am currently using Cloudflare but somehow my IP is still listed. For example Censys still listed the orgin IP. Would you like to tell me how you configured your Cloudflare?

 

Link to comment
Share on other sites

Basically in Cloudflare you want all DNS records to show as "Proxied" and not "DNS only" only.

DNS Only will give away your IP address while Proxied will not.

Link to comment
Share on other sites

Haruko Ishikawa

image.png.44ea55f049d387fd7a012bf7d88a7519.png This is how it looks for me. Try to type your own hostname on Censys. https://search.censys.io/

This site can somehow still get the orgin IP. This is why i want to block ip access and only allow form hostname. I may have a solution tho. I can build my own forward proxy internally.

 

 

Link to comment
Share on other sites

That can happen if you have a leak in your DNS setup but does it really matter?

People don't really target domains for gaining access to your system but instead run port scans of different IPs so with or without a domain name it's not really any different.

Link to comment
Share on other sites

Haruko Ishikawa

Hmm? Well you may be right! But i still want to enforce the use of Cloudflare. That can be bypassed with the orgin IP. 

Link to comment
Share on other sites

Haruko Ishikawa

But thanks for all help tho! I will be closing this if i just find out how am doing that 😃 . I have my own idea. I will setup a forward proxy which will enforce the use of the domain name so that cloudflare will be enforced.

Link to comment
Share on other sites

Just trying to understand what you are trying to accomplish.  I'm assuming you only have one port open for Emby being the SSL port correct?
If you use a cert generated by Cloudflare in Emby and have Emby set for Required the only path that will work is via Coudflare because only Cloudflare will be able to use your server's cert to unencrypt the packets.

Link to comment
Share on other sites

rodainas

You can set with something like nginx to access your server only by domain, and the ip gives just an error.

 

You can set a server block like this

 

server {
    listen      80 default_server;
    listen      [::]:80 default_server;
    #return 301 https://$host$request_uri;
}

server {
    listen      443 ssl default_server;
    listen      [::]:443 ssl default_server;
        ssl_certificate      /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key  /etc/ssl/private/nginx-selfsigned.key;
    return      444;
}
 

then a specific block for emby:

 ## Emby
server {
    listen [::]:443 ssl http2;    ## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name yourservername.com
 

 

Edited by rodainas
  • Like 1
Link to comment
Share on other sites

pir8radio
On 6/23/2021 at 6:27 AM, Haruko Ishikawa said:

I am currently using Cloudflare but somehow my IP is still listed. For example Censys still listed the orgin IP. Would you like to tell me how you configured your Cloudflare?

 

Your IP is listed on Censys due to your SSL cert you are using on your origin server..   It probably mentions your domain name DO NOT use the cert cloudflare gives you for your origin and do not create a self signed with your real domain name.    So what Censys does is goes out and finds every HTTPS response, logs the SSL cert and what IP that SSL cert responded on. does not care about the domain name it used to find that cert.  So now Censys has all of these ssl certs, they all contain domain names they are to secure,  Censys links those domain names to the IP the cert was found on.    Even though you have certs through cloudflare that are protected and link back to their IP's, you created a back door by using an origin SSL cert that also contains your real domain name, and that cert can be served up over your real ip, leaving bread crumbs.     

 

To fix:   So since Cloudflare will accept any SSL Cert from an origin server I suggest you make your origin SSL Cert something fake.   like  make the ssl cert for coolbikes.com   or  lkjfdslkjfdslkfdslkjsfd.com  something like that.    so when Censys logs that SSL cert it will be associated to your real server ip, but people and Censys wont be able to link the lkjfdslkjfdslkfdslkjsfd.com SSL cert to your actual domain name.     

For example my site:  https://notallmine.net     bet you cant trace that domain to my real internet IP.  its hidden, no back-doors no leaks. 

 

That said...  you still have a problem with hiding your origin IP..   and that is if you EVER had a DNS entry for your domain name that pointed to that ip, its already on the internet.  The only way to truly hide a server is to use a fresh IP address that has never been tied to a domain name, or exposed an SSL cert linking that ip to a real domain name.       Give me a domain name I can get you a list of every IP that has ever been tied to that domain name, even if that ip is dynamic, I can tell you your ISP and general location, which is usually not good, gets you one step closer to finding who owns the server.  🙂

   

But back to your original question,  yes using nginx you can prevent direct IP access a few ways.. 

In NGIX reverse proxy:

server {
	listen [::]:80;
	listen 80;
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name "PUT YOURE REAL SERVER IP ADDRESS HERE";

	return 444;

	ssl_session_timeout 10m;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_certificate      ssl/kjfdsjlfd_com_pub.pem;
	ssl_certificate_key  ssl/kjfdsjlfd_com_pvt.pem;
	ssl_session_cache shared:SSL:10m;
}

 

Also you will want to use the cloudflare feature shown here: https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull

and you do that in nginx like this: 


	ssl_client_certificate ssl/special_CF_Cert.crt;
	ssl_verify_client on;

 

Edited by pir8radio
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...