Nginx – Block direct port 80 access on default IP using iptables

centos6csfddosiptablesnginx

I am using nginx with cloudflare in front of my sites to protect them from layer 7 attacks but now some attackers found this new way and they are daily attacking my default IP directly with layer 7 attack instead of attacking the sites. I am returning 444 response to them when they open default page on direct ip address but still the attacks are too big so they are making all the site/server unavailable for few minutes and sometime for longer period depending on attack making Nginx busy.

So i wanted to ask if it's possible to disable port 80 access on default ip without affecting my other sites and services? These attacks are too big that that my log file for default vhost is becoming 1GB in less thn 1 hour so even returning 444 isn't working thats why i think blocking it at firewall level will be better?

Any suggestion how to achieve this with iptables?

I am using CentOS 6.9 with Ngiinx 1.13.

Anymore ideas? Still waiting!

Best Answer

You could setup iptables rules to only allow CloudFlare IPs to reach your Nginx instance on port 80 etc. This can be achieved by first creating an ipset with a list of CloudFlare's IPv4 ranges (available at https://www.cloudflare.com/ips-v4), then applying the appropriate iptables rules to utilise the set.

Something like the below should work:

ipset -N cloudflare nethash

ipset -q -A cloudflare A.B.C.D/M
... [ repeat above for each entry in CF ips-v4 file ]

iptables -A INPUT -p tcp --dport 80 -m set --match-set cloudflare src -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Further Nginx Trick using the CloudFlare Ray-ID Header

For each site that does have CloudFlare in front of it, you can also apply this trick into Nginx. It effectively checks for the existence of the CloudFlare CF-Ray header, in the expected format. If this does NOT exist, 444 is returned (an immediate drop of the request).

server {
    listen A.B.C.D:80;
    server_name _;
    if ($http_cf_ray !~ '^[0-9a-f]{16}-[A-Z]{3}$') { return 444; }
...

I would imagine you could also disable logging at this point to further mitigate any excessive log noise (untested):

    if ($http_cf_ray !~ '^[0-9a-f]{16}-[A-Z]{3}$') { access_log off; error_log off; return 444; }

Related Solutions

Nginx – Block direct access to webserver IP via HTTPS

Today, I encountered the same problem with this block:

server {
  listen 443 ssl default_server;
  server_name <SERVER-IP>;
  return 444;
}

The nginx-logs says:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking

As you mentioned, this seems to disable the other server-blocks as well. It 's possible to fix this by using a (self-signed) certificate for the server-ip-address. I did this using openssl:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt -subj '/CN=<SERVER-IP>'

Then change the server-block to:

server {
    listen 443 ssl default_server;
    server_name <server-ip>;
    ssl_certificate         /path/to/certificate.crt;
    ssl_certificate_key     /path/to/privateKey.key;
    return 444;
}

When someone uses the SERVER-IP over https to access the server, nginx presents the (self-signed) certificate and NOT the domain-name-certificate you want to hide.

By the way, make your server-block-with-IP the default_server. This way, a client who has SNI disabled, will get the IP-certificate and NOT the domain-name-certificate. This can also be tested with openssl (the -servername option, which will enable SNI, is omitted):

openssl s_client -connect <SERVER-IP>:443

Best Answer

Further Nginx Trick using the CloudFlare Ray-ID Header

Related Solutions

Nginx – Block direct access to webserver IP via HTTPS

Related Topic