Prevent users to access to website using port 8080 (apache) when using Varnish (on port 80)

apache-2.2 port varnish seo

6,824

Solution 1

You could bind apache daemon to loopback interface and make Varnish to connect to localhost:80. Thus, varnish would be accessible to the world while apache would be accessible only locally.

Varnish config:

backend www {
.host = “localhost″;
.port = “80″;
}

Apache config:

Listen 127.0.0.1:8080
...    
<VirtualHost 127.0.0.1:8080>
...

Solution 2

Quickest option would be to simply bind the Apache instance to Localhost, so it would only be accessible from that machine.

<VirtualHost 127.0.0.1:8080>

Alternatively you could tweak the permissions of your Apache Virtual host directory block to:

Deny from all
Allow from 127.0.0.1  #IP.OF.MY.PC

This is slightly more flexible, as you can add your own IP, or net range to the permitted IP list, to allow a select few direct access for diagnostic purposes.

Both option above assume the Varnish instance is running on the same physical server.

Solution 3

Simply block the 8080 port with iptables for the outside world like this:

 # iptables -I INPUT -p tcp --dport 80 -j DROP

 # iptables -I INPUT -s localhost -j ACCEPT

6,824

Tristan

CTO @ Y-Proximité (Lyon - France) | @sf_tristanb Symfony developper | Personal project : http://www.seek-team.com

Updated on September 18, 2022

Comments

Tristan over 1 year
My configuration is very simple :

To avoid duplicate content, I want to prevent user to go on my website by hitting directly apache (which is running on port 8080).

I have setup a Varnish server listening on port 80, so I want to use only this to avoid bot indexing the same website on different port which may cause duplicate content issue.

I'm using a dedicated server with Debian 6.

My virtual host looks like :
```
<VirtualHost *:8080>
    ServerAdmin webmaster@localhost
    ServerName www.seek-team.com

    DocumentRoot ...
    DirectoryIndex app.php

    <Directory "/var/www/seek-team.com/current/web">
        Options -Indexes FollowSymLinks SymLinksifOwnerMatch
        AllowOverride All
        Allow from All
    </Directory>
</VirtualHost>
```
How to prevent user to directly access to the website using port 8080 ? (but I still need varnish to hit apache correctly).

Thanks.
Tristan over 11 years

Do you have an example please ? It looks obscure to me as i'm not a sys admin
Gevial over 11 years

I've just edited the answer and included the example.
Tristan over 11 years

Thx i'm going to test it ASAP.
Tristan over 11 years

It doesn't work, the traffic is all shut down. Varnish can't access to the port 80 (he his on the same server ofc)
Napster_X over 11 years

What's the value in the .host section you have given in Varnish. Is it the network interface IP or localhost. It should be localhost, and it will work
Napster_X over 11 years

Also, the sequence in which you executed the iptables rules also matter, it should be same as I pasted above.
Tristan over 11 years

I know this is what i did, but after that, my website didn't respond. I also tryed to put iptables -I INPUT -s 127.0.0.1 -j ACCEPT but it didn't work.