I would like to block all access to our demo site for some time with the exception of a group of listed IPs & IP ranges. Could you advise on how to do this?
I am hosting on digital ocean and I have cloudflare activated.
Thanks for the help anyways
This should be straightforward to achieve:
Ensure that the DNS record for your demo site is proxied by Cloudflare. You can check this in the Cloudflare Dashboard for your domain, in the DNS tab.
Add a Firewall Rule that will block all the traffic for your demo site unless it is coming from a list of allowed IP addresses. For example, using an expression such as:
(not ip.src in {192.0.2.1 192.0.2.2 192.0.2.3} and http.host eq "demo.example.com")
You can also define an IP List and reference to it in your Firewall rule - this would make it easier to maintain the list over time in a single place.
You can then turn the rule ON and OFF when needed.
Related
I have a site running on ECS in AWS with the DNS being handled by Route53.
There are two network interfaces which I can use the Public IP addresses of to access the site. The problem is Google has indexed this IP addresses as well as the domain name.
How do I "redirect" the IP addresses to the domain name?
There are 2 aspects in your question:
You want your access using IP to resolve to your domain name
Google indexing your site with the wrong URL
For your 1st challenge, there isn't a native way to force browsers from IP back to URLs. You have to handle this in your application or infrastructure. Since you're running in ECS, that could either be a rule in a Load Balancer (e.g. if using Application Load Balancer, a rule that checks if Host-Header doesn't match your domain then redirect to your domain URL), or you could write the logic into your container.
Regarding the #2 problem, that might be because your IP was added to some site in the internet (remember that IPs are re-used in AWS), and as a result Google has the IP in the cache and it's refreshing it. To handle this problem, you might need to review if it's possible using Google's Removals Tool.
I want to set up a security group that will only allow my static IP to hit an EC2 server, but because I use Cloudflare and it uses some IP/reverse proxy magic, the AWS security group only sees the Cloudflare IP and not my actual static IP. I looked all over and can't find any answer to how to do this. Has anyone figured this out?
You can't do this with security group settings.
Caching proxies like Cloudflare create a separate connection to the origin server, using one of their IP addresses.
You'd need to use those addresses in your security group, and maintain the rules if Cloudflare changes the list. But, the list is public.
https://www.cloudflare.com/ips/
Next, you need to configure your web server to deny requests when the CF-Connecting-IP HTTP header doesn't contain your IP address.
https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
You have to do both, because if you don't restrict traffic to the Cloudflare IP address ranges with your security group, then traffic from elsewhere (not via Cloudflare) could forge the header containing the IP address.
Having done those two things, you have almost accomplished your objective, but not quite... because Cloudflare caches responses.
So, the next problem is, you also need to disable caching at Cloudflare, because once you fetch a page, it may be in the Cloudflare cache, where someone else might access it.
https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-PageRules-
Really, for a case where you need to restrict access to a single IP (or a small set), it doesn't usually make a lot of sense to send the traffic through Cloudflare.
You could setup a lambda function that parse the IP file from Cloudflare and update your security groups dynamically. AWSlabs on github has an example lambda function that does it for CloudFront. Two problems you'll run into are that you'll have to schedule to lambda function to run since you can't subscribe to a queue like in the example and possible running out security group rules, 50 is the limit.
There are two IP addresses (172.31.42.243 and 172.31.19.188) that are hitting my site in AWS (Beanstalk hosted) repeatedly with garbage requests.
I have tried to block them using ACL deny rules. If I add only one I'm still able to hit my site. If I add both then I'm not able to hit my site.
Both the deny rules are using /32 for the CIDR notation and the deny rules I added are lower numbers than the default allow all rule. What am I doing wrong?
Those aren't the IP addresses of the machines that are attacking you; those are the internal IP addresses of your ELB. That's also why you can't access your site after blocking them - no one can!
You need to look at the access logs on the ELB, not on your application server, to determine which IP address(es) are attacking you. You can configure access logging on your ELB on the "Description" tab, under "Attributes".
I am using an Amazon EC2 instance to serve a node.js app. I recently purchased a domain name through Google Domains and I want to use that domain name to access my node.js app.
The Google Domains console allows you to forward your domain traffic to another website. I set it to forward traffic to the public IP address of my EC2 instance. I can access my app just fine now, but when I type www.myDomainName.com into a web browser, the URL bar immediately changes and displays the digits of my EC2 IP address.
I would like the URL bar to display the name of my domain instead.
Note:
I have read a few SO questions related to this and can't figure it out. Some of them are a bit over my head. Many of them say to use an Amazon Elastic IP, but I don't understand why this is necessary if the public IP of my EC2 instance seems to work just fine. If the solution here is to use Amazon Elastic IP, I would really appreciate an explanation as to why that is necessary,
It sounds like you are using Google Domains to redirect to another site once the request has hit the Google servers. This is fine and dandy if you have another domain you are wanting to redirect to.
If you want it to stay under your domain name, but point to another location you need to actually change the DNS entries for your domain.
Go to Google Domain services and change your master(*) (A) record, as well as your WWW (A) record, to point at your public IP address. That way when a DNS request is sent for your domain it will just ask Amazons' servers what to do instead of using a redirect from Google.
Exact Steps:
From the Google Domain Website, click the Middle Tab () to open DNS settings
Fill out the form near the bottom of the page titled, Custom Resource Record
Name: In this scenario we want to use "#" or "www"
# is the root record (or anything not specifically set)[all]
www is the record for when people type www.example.com
Type: There are two types; A refers to IPv4 address and AAAA refers to IPv6 address
You can set both of them separately, generally you want to use the A [IPv4]
TTL: Time to live, recommend leaving 1hr (this is an advanced attribute)
Data: The actual IP address you are wanting to point to (your website)
Example: 8.8.8.8 [Google Nameserver]
Now that are the blanks are filled out, press the "Add" button
Wait for the records to be updated publicly
This will take approx. 1hr (as long as you kept TTL at 1hr)
This step can take longer depends on Google's servers
Check your website www.example.com to confirm it has updated
Addendum to Zax's Answer
While Zax's answer is fully accurate, it looks like it wasn't sufficient to help out the OP, and maybe not for others, too.
When you go to Google Domains (at least as of March 2017), you'll see several different tabs. The middle tab, which looks like is the tab to configure the DNS. Chose that tab.
Near the bottom of the page on the DNS tab you'll see a section Custom resource records. Within that section, you can add more entries. An entry consists of:
Name: this is briefly described by Google, but in short, likely you'll either want to use # or www, where the former means "root level" and the latter means "www subdomain".
For instance, if you registered imsocool.com, then # points to imsocool.com whereas www points to www.imsocool.com.
Type: you'll probably either want A which is an IPv4 Address or you'll want AAAA, which is an IPv6 Address. (That's assuming you're trying to point to a website, not an e-mail server or whatever else.)
TTL: time-to-live, I don't think you'll need to worry about it much, so just use the 1h (one hour) default.
data: again, presuming you are pointing to a website, that will be the actual IP address. E.g., 54.49.66.128, or whatever your IPv4 (or v6) server address is.
Once you've filled in all the blanks, simply hit the blue "Add" button.
Wait a while for the DNS update to happen.
The most it should take is 1 hour, if that's what you had placed above. But it could potentially be much quicker.
Then check to see that all is working by visiting your site using the name, e.g., imsocool.com.
In your google domain admin dashboard, select the dns configuration of your domain name.
Go to Custom resource records and set a new record with the subdomain you require: for the site webapp.example.com use webapp and select Type A. Leave blank the ttl field and add you public IP from the amazon EC2 instance. Then just browse the site webapp.example.com and it will retrieve the site on your EC2 under the domain name.
If you need to redirect the www.example.com domain then just add a record with www, also selecting the type A and adding your public IP from your EC2 instance.
I have a question regarding AWS Load Balancers.
I can point my CNAME www to my load balancer's DNS perfectly and i know it will always work, BUT I also need to point the # record to the load balancer so people can access mysite.com instead of www.mysite.com and hit the loadbalancer.
The problem is that the A Records have to point an IP Address so i can't point to the DNS and the IP of the load balancer keeps changing so mysite.com stops working.
Can anyone recommend me a work around for this?
Here are the steps.
Click create record set
For zone apex record just leave the name field blank
Select the type of alias you want to make A or AAAA (all steps after this are the same for both types)
Select the yes radio button.
Open the EC2 console in another tab and navigate to the list of your load balancers.
Click on the load balancer and look at the description tab in the pane below the list. Sample output below
You need a web server that does a redirect instead. i.e. you want to send a 301 "Moved Permanently" from the web server that mysite.com points to, redirecting to www.mysite.com. Then you CNAME www.mysite.com over to Amazon.
Some DNS hosting providers will do this for you, I think GoDaddy does. Otherwise you need to set up a web server you can configure to do this.
The Apache configuration in .htaccess could be for example:
RewriteEngine on
RewriteCond %{HTTP_HOST} mysite.com
RewriteRule ^(.*)$ http://www.mysite.com/$1 [L,R=permanent]
If you have a generic Apache-hosting site that supports .htaccess then you could do that.
Anyway what you're looking for is a redirect.
Technically, it can't be done. You can only refer to an Amazon load balancer using a CNAME and it breaks DNS rules to assign a CNAME to the root of the domain because of issues this causes with MX records.
That said, some DNS provider do allow you to do this, Amazon's route 53 doesn't, but Zoneedit allows it (with a warning). If you don't need your email to work for that domain, this is a solution. If you do need email, mine did happen to work using Zoneedit, but the DNS rules says you can't rely on this.
Edit: After my post Amazon added the ability to map the root of a domain (a.k.a. the zone apex) to a load balancer using Route 53. See this blog post.
As David points out, you can't do it and still remain within DNS RFC. You could just build a small no load balanced instance somewhere that just redirecs mysite.com -> www.mysite.com. Not a totally elegant solution, but a work around..
Amazon now has functionality in Route53 that provides a mechanism for binding A records to ELBs: http://www.allthingsdistributed.com/2011/05/aws_ipv6.html
You do NOT need a redirect, and yes it CAN be done. It's just not in the normal mode of working with DNS, so many people aren't comfortable using zone apexes with ELB aliases yet.
See the links given in other answers here, especially https://serverfault.com/questions/342904/how-do-you-create-a-zone-apex-alias-that-points-to-a-elastic-load-balancer-in-th
Amazon has added a special alias option in their route 53 DNS service. You can point an A record as an alias to the load balancer dns. I ran into this same problem because I host my own DNS servers using Bind 9. I didn't want to use the CNAME with redirect solution. The route 53 solution is better and Amazon is great at propagating DNS info across the globe.
Here is an explanation of how to use route 53 with the special alias record for elastic load balancers.
https://serverfault.com/questions/342904/how-do-you-create-a-zone-apex-alias-that-points-to-a-elastic-load-balancer-in-th
The redirect from DNS service provider didn't work for me.
I decided to give up the use of load balancer (from the beginning i created it only to try to hack the mentioned certificate problem). If you must use LB read the opt #2 bellow i didn't try it but i think it's should work.
Opt #1 (without LB)
Take the certificate you got from the trusted issuer and install it directly on the server. Give redirect order from the server (http to https) it will handle www as well.
I used image of bitnami so i could use bncert-tool for that.
Opt #2 (with LB you should have certificate body and private key)
You should do Opt #1 and go to certificate manager at AWS-> import certificate and then use that certificate with your LB that way you have the same certificate with both cases
I never tried opt #2
Good luck
For someone who is not using Amazon Route 53 it seems like a recommended solution is to create a Network Load Balancer which then points to an Application Load Balancer, which then points to our EC2 instances.
The Network Load Balancer has a static IP Address, which is what you want.
Source: https://aws.amazon.com/premiumsupport/knowledge-center/alb-static-ip/