How to Block Direct IP Address Access (http & https) on Apache2/NginX

How to Block Direct IP Address Access on Apache2/NginX – A webserver can accommodate more than one website based on our settings as sysadmins by utilizing resources that are still considered loose to be used as multi hosting using the same server IP address. So what if each server has its own IP Address?

In this case, if a server has its own IP address, then we can type the url address with the IP address into the web browser if the configuration on the server is by default. Maybe this sometimes becomes a problem when crawlers try to crawl that IP Address which should not be seen.

We probably won’t have this problem if we use shared hosting.

Basically the server we use uses an IP address to access it, and here DNS functions as a translator, for example we don’t need to remember or share our server address with an IP Address but use a domain name that is easy to remember. DNS or Domain Name System, translates human-readable domain names such as judisweb.com to machine-readable IP addresses such as 172.5.23.134.

But if we run the Apache2/NginX webserver itself on a VPS or dedicated server, our webserver can be accessed directly using the IP Address.

JudisWeb disable ip welcome
With domain name
JudisWeb disable ip welcome2
With IP Address
judisweb disable ip welcome3
Disable direct ip access

Block Apache2 HTTP IP Address Access

Create a new website configuration file in the directory sites-available nginx /etc/apache2/sites-available with a free name for example disable_direct_ip_access_http.conf.

sudo nano /etc/apache2/sites-available/disable_direct_ip_access_http.conf
<VirtualHost *:80>
    ServerName IP_ADDRESS
    Redirect 403 /
    DocumentRoot /var/www/html
</VirtualHost>

Exit nano editor then save the file and enable the new configuration:

sudo a2ensite disable_direct_ip_access_http.conf

Then restart apache2:

sudo systemctl restart apache2

Block Apache2 HTTPS/SSL IP Address Access

Create a new website configuration file in the directory sites-available nginx /etc/apache2/sites-available with a free name for example disable_direct_ip_access_ssl.conf.

sudo nano /etc/apache2/sites-available/disable_direct_ip_access_ssl.conf
<IfModule mod_ssl.c>
	<VirtualHost *:443>
       		ServerName xxx.xxx.xxx.xxx
       		Redirect 403 /
       		DocumentRoot /var/www/YOURDOMAIN.COM/public_html
   	</VirtualHost>
</IfModule>

Exit nano editor then save the file and enable the new configuration:

sudo a2ensite disable_direct_ip_access_ssl.conf

Then restart apache2:

sudo systemctl restart apache2

Block NginX HTTP IP Address Access

Block IP Address Access on Nginx

Create a new website configuration file in the directory sites-available nginx /etc/nginx/sites-available with a free name for example disable_direct_ip_access.conf or without file extension .conf.

sudo nano /etc/nginx/sites-available/disable_direct_ip_access_http

or:

sudo nano /etc/nginx/sites-available/disable_direct_ip_access_http.conf

By activating the new configuration, it can become the default of all server_name which is not explicitly specified. Example in the previous article How to Make NginX Server Block, I explain how to create a virtual host where server_name explicitly specified, for example: www.domainname1.comdomainname1.com.

server {
	listen 80;
 	listen [::]:80;
 	server_name _;

 	#return <HTTP_RESPONSE_STATUS_CODE>;
	return 444;
}

Note: Response code 444 is Nginx-specific pseudo-response code, it instructs Nginx to just close the connection and not give any response.

If you want, we can also use return 404 (not found) or return 403 (forbidden) instead to notify the user that there is nothing to find here or access is forbidden.

Or using redirects:

server {
        listen 80;
        server_name IP_ADDRESS;
        return 301 http://YOUR.DOMAIN;
}

When we enable this configuration, http:// should no longer be accessible.

Enable the new Nginx Configuration Block IP Address Access:

sudo ln -s /etc/nginx/sites-available/disable_direct_ip_access_http /etc/nginx/sites-enabled/

Then restart NginX:

sudo service nginx restart

3 Ways to Block NginX HTTPS/SSL IP Address Access

There are 3 ways to Block NginX HTTPS IP Address Access:

  1. Using self-signed ssl_certificate
  2. Using ssl_reject_handshake
  3. Using IF

Check the nginx version first to Block NginX HTTPS IP Address Access:

nginx -v

Using Self-signed ssl_certificate For older NginX versions under 1.19.4

Step 1: Create a self-signed placeholder certificate

sudo mkdir -p /usr/local/etc/ssl
cd /usr/local/etc/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout default.key -out default.crt -subj '/CN='

Step 2: Create NginX Server Block (virtual host)

Then, let’s take a look at the server block settings. Can use the default configuration file located at /etc/nginx/sites-available/default or by creating a new configuration /etc/nginx/sites-available/disable_direct_ip_access_http_https.

sudo nano /etc/nginx/sites-available/disable_direct_ip_access_http_https
server {
	listen 80;
	listen [::]:80;

 	listen 443;
 	listen [::]:443;

	ssl_ciphers aNULL; 
 	ssl_certificate /etc/nginx/ssl/default.crt;
 	ssl_certificate_key /etc/nginx/ssl/default.key;

 	server_name _;
	#return <HTTP_RESPONSE_STATUS_CODE>;
 	return 444;
}

Step 3: Enable Server Block/Virtual Host Nginx

sudo ln -s /etc/nginx/sites-available/disable_direct_ip_access_http_https /etc/nginx/sites-enabled/

and after that restart NginX:

sudo service nginx restart

Using ssl_reject_handshake For NginX version 1.19.4 and up

If we are using Nginx 1.19.4 or later, using ssl_reject_handshake makes it very easy to block direct IP access over HTTPS.

Step 1: Create an NginX Server Block (virtual host)

Can use the default configuration file located at /etc/nginx/sites-available/default or by creating a new configuration /etc/nginx/sites-available/disable_direct_ip_access_http_https.

sudo nano /etc/nginx/sites-available/disable_direct_ip_access_http_https
server {
	listen 80;
 	listen [::]:80;

 	listen 443;
 	listen [::]:443;
 	ssl_reject_handshake on;

 	server_name _;
 	return 444;
}

Step 2: Enable Server Block/Virtual Host Nginx

Enable server block/virtual host configuration:

sudo ln -s /etc/nginx/sites-available/disable_direct_ip_access_http_https /etc/nginx/sites-enabled/

Then restart nginx:

sudo service nginx restart

Using IF

server {
	listen 443 default_server;
 	listen [::]:443 default_server;
	server_name YOUR_DOMAIN.com
 
	ssl_certificate /etc/nginx/ssl/YOUR_DOMAIN.com.crt;
	ssl_certificate_key /etc/nginx/ssl/YOUR_DOMAIN.com.key;

	if ($host != "YOUR_DOMAIN.com") {
 		return 444;
	}
}

Conclusion

From the tutorial above, we have learned How to Block Direct IP Address Access (http & https) on Apache2/NginX step by step using both the Nginx and Apache2 webservers.

Hope it is useful.

Reference:




Leave a comment

Your email address will not be published. Required fields are marked *