I have an ec2 instance which is open to public access with ip address. I have now connected a domain with it and want to use that domain only. I need to block access to ip. I tried changing security groups but no luck.
There is no way to block access by hostname by using security groups, these simply function as a whitelist for incoming IP addresses.
You have 2 solutions that can be used to allow this functionality:
The first solution would be to add a secondary host configuration in your web server (apache, NGINX) to have your web site domain. Have the first host (or default host) return a 403 if any user attempts to access on that page.
The second solution would be to add either CloudFront or a load balancer in front of your application. You could then add a WAF with a default block policy. It would only allow traffic through if the "Host" header matched the name of your site.
Related
I have a site running on ECS in AWS with the DNS being handled by Route53.
There are two network interfaces which I can use the Public IP addresses of to access the site. The problem is Google has indexed this IP addresses as well as the domain name.
How do I "redirect" the IP addresses to the domain name?
There are 2 aspects in your question:
You want your access using IP to resolve to your domain name
Google indexing your site with the wrong URL
For your 1st challenge, there isn't a native way to force browsers from IP back to URLs. You have to handle this in your application or infrastructure. Since you're running in ECS, that could either be a rule in a Load Balancer (e.g. if using Application Load Balancer, a rule that checks if Host-Header doesn't match your domain then redirect to your domain URL), or you could write the logic into your container.
Regarding the #2 problem, that might be because your IP was added to some site in the internet (remember that IPs are re-used in AWS), and as a result Google has the IP in the cache and it's refreshing it. To handle this problem, you might need to review if it's possible using Google's Removals Tool.
I have a wordpress website hosted on AWS Lightsail.
I added an A record to my DNS pointing my custom domain to the static ip of the Lightsail instance.
But, I don't want the website to be accessible via the static ip, only via my custom domain.
How can I block access to the static ip?
Thanks!
As your domain name is resolving to the IP address the IP address will still need to allow ingress into the IP.
For this reason the change will need to happen within the host.
Depending on the web server technology you are using (such as Apache or Nginx) the first host file that loads is served if no other host configuration is matched.
If you add the secondary vhost for your domain ensuring you explicitly reference the domain, then in the default host rather than serving your application return a 403 instead this will prevent bypassing your domain name.
More information is available in the following links:
Apache VHOST configuration
Nginx configuration
I have bought a domain name from GoDaddy and would like to host it on an EC2 instance. I have created the instance and have installed apache. I have added an index.php with phpinfo(); and it is showing correctly when I access the public IP on browser. Now I would like to point my domain name to this instance. For this I have added an A RECORD at Godaddy DNS configuration. But when I access the doamin, it is showing
ERR_CONNECTION_TIMED_OUT
message in the broswer. Is there any additional settings I need to do ?
What you did is what it is needed. SO if it is not working then then you have to check everything again :
- check (for example with ping) if the domain is in fact resolving to correct IP address (from your computer and from instance for example to use different DNS servers). You can also use host command (for example host www.mydomain.com 8.8.8.8 - it will use google's dns (8.8.8.8) as the source of truth
- check if Security Group in aws allows inbound traffic (that's probably true as you can reach the instance directly)
- try to connect from different network (again this should not be problem as IP is reachable using IP).
you can also post the domain name and requested Ip so we can check this for you ;)
I want to add my ec2 load balancer to my domain, under mysite.com/api/etc. On route53 it only lets me add a subdomain. In theory I could do api.mysite.com but I want to see if mysite.com/api is possible first. Currently in my route53 record sets, I just have one for mysite.com and www.mysite.com, (www.mysite.com points to my cloudfront which points to my s3 bucket which redirects to the mysite.com bucket). The reason for all of this is that I want to be able to make https api calls to my ec2 server, but it appears I get a several errors with my current configuration. When I access it via browser, I receive an ERR_CONNECION_TIMED_OUT, and when I use python.requests, I get a
SSL.ERROR: HTTPSConnectionPool...(Casused by SSLError(CertificatError
("hostname 'my-ec2-env-us-east-1.elasticbeanstalk.com'
doesn't match either of 'mysite.com, www.mysite.com)
I assume this certificate error is causing my browser timed out error (I'm fairly certain my other configurations are correct, I added my HTTPS port 443 to security groups with inbound settings to allow 0.0.0.0/0 and ::/0, and I selected the 2016-8 SSL Policy. To resolve this certificate error, I assume I need to purchase another domain/add it onto my existing domain, add a certificate to it, and have the endpoint be my EC2 load balancer.
I have an api running in a EC2 instance in AWS in certain port (ej 8000). I have register a domain in bluehost provider.
Currently my app is pointing to the IP that offer the EC2 instance, but I want to change to the domain in order to use like api.mydomain.com:8000.
I tried to create a configuration in the DNS zone of panel control in the bluehost account, but it does not work, I think the DNS type I have to use is the 'SRV record', but I tried some configuration but the cpanel dont take it.
How I can make that the request to 'api.mydomain.com:8000' redirect to the EC2 instance's IP and the configurated port?. Thank you
You can use a normal A record for api.mydomain.com and point that to your instances IP address. You don't include the port anywhere in the DNS configuration.
If it was a website that was on port 8000 you would type api.mydomain.com:8000 in your browser url.
Make sure that your instances security group is open on port 8000, and that your instance is listening on port 8000.
When you say "it didn't work", what do you mean? Where was there a failure?
Normally you would create an 'A'record to point a domain name to a IP address, not a 'SRV' record.