Prevent users to access to website using port 8080 (apache) when using Varnish (on port 80)
Solution 1
You could bind apache daemon to loopback interface and make Varnish to connect to localhost:80
. Thus, varnish would be accessible to the world while apache would be accessible only locally.
Varnish config:
backend www {
.host = “localhost″;
.port = “80″;
}
Apache config:
Listen 127.0.0.1:8080
...
<VirtualHost 127.0.0.1:8080>
...
Solution 2
Quickest option would be to simply bind the Apache instance to Localhost, so it would only be accessible from that machine.
<VirtualHost 127.0.0.1:8080>
Alternatively you could tweak the permissions of your Apache Virtual host directory block to:
Deny from all
Allow from 127.0.0.1 #IP.OF.MY.PC
This is slightly more flexible, as you can add your own IP, or net range to the permitted IP list, to allow a select few direct access for diagnostic purposes.
Both option above assume the Varnish instance is running on the same physical server.
Solution 3
Simply block the 8080 port with iptables for the outside world like this:
# iptables -I INPUT -p tcp --dport 80 -j DROP
# iptables -I INPUT -s localhost -j ACCEPT
Related videos on Youtube
Tristan
CTO @ Y-Proximité (Lyon - France) | @sf_tristanb Symfony developper | Personal project : http://www.seek-team.com
Updated on September 18, 2022Comments
-
Tristan over 1 year
My configuration is very simple :
To avoid duplicate content, I want to prevent user to go on my website by hitting directly apache (which is running on port 8080).
I have setup a Varnish server listening on port 80, so I want to use only this to avoid bot indexing the same website on different port which may cause duplicate content issue.
I'm using a dedicated server with Debian 6.
My virtual host looks like :
<VirtualHost *:8080> ServerAdmin webmaster@localhost ServerName www.seek-team.com DocumentRoot ... DirectoryIndex app.php <Directory "/var/www/seek-team.com/current/web"> Options -Indexes FollowSymLinks SymLinksifOwnerMatch AllowOverride All Allow from All </Directory> </VirtualHost>
How to prevent user to directly access to the website using port 8080 ? (but I still need varnish to hit apache correctly).
Thanks.
-
Tristan over 11 yearsDo you have an example please ? It looks obscure to me as i'm not a sys admin
-
Gevial over 11 yearsI've just edited the answer and included the example.
-
Tristan over 11 yearsThx i'm going to test it ASAP.
-
Tristan over 11 yearsIt doesn't work, the traffic is all shut down. Varnish can't access to the port 80 (he his on the same server ofc)
-
Napster_X over 11 yearsWhat's the value in the .host section you have given in Varnish. Is it the network interface IP or localhost. It should be localhost, and it will work
-
Napster_X over 11 yearsAlso, the sequence in which you executed the iptables rules also matter, it should be same as I pasted above.
-
Tristan over 11 yearsI know this is what i did, but after that, my website didn't respond. I also tryed to put iptables -I INPUT -s 127.0.0.1 -j ACCEPT but it didn't work.