Is there a way to set HAProxy to listen on a specific port only if the hostname from the IP used matches a certain criteria?
The distinctin is important: My server has multiple IPs, which match a domain (www1.xxxx.com, www2.xxxx.com, etc).
I want to open port YYYY only if the domain used to connect to HAProxy is www.xxxx.com. If testing via www1.xxxx.com, that port would be refused.
Note that HAProxy is used in TCP mode, not HTTP.
Is this possible?
Thank you.
May be something like this?
listen port_3306
bind :3306
mode tcp
acl my-ip src 216.58.204.78
tcp-request content accept if my-ip
server my-test-comms localhost:3306 check
Attaching the documentation link, may be you can play around with those settings.
Hope this helps.
Related
I have a communication problem between Zabbix Proxy and Zabbix Server at port 10051. I’m using HAPROXY version 2.0.13. Look my Kubernetes scenario:
HAPROXY is working fine when I access my website zabbix.domain.com at port 80 and 443.
Zabbix-Proxy has a parameter “Server” that I set with ip address of worker-1 and the communication works fine, but this happen because the traffic don’t pass through HAPROXY server. When I try to set the Server parameter with my domain address zabbix.domain.com that go to my HAPROXY server, the communication dont work, give the impression that HAPROXY cant treat the request.
zabbix_proxy.conf: Work with Worker-1 ip addr, but dont work with domain name.
The domain name as I said, is pointing to HAPROXY server (10.0.0.110). I think the zabbix-proxy is trying to reach the port 10051 of HAPROXY server and the HAPROXY can’t deal with the requests to forward to my worker node.
This is my HAPROXY configuration, I test with frontend and backend, but now, I just rewrite with Listen parameter.
listen zabbix
mode tcp
bind :10051
option forwardfor
server worker-1 10.10.10.112:10051 check
server worker-1 10.10.10.113:10051 check
server worker-1 10.10.10.114:10051 check
Someone can help? There are some manner to point to my website zabbix.domain.com, the haproxy treat the request send to my worker-1 in port 10051? Please tell me If need more information.
So I have an EC2 instance on AWS and it runs Mongodb. I have been having issues with hackers for a few months now and I can't seem to figure out how to keep them out. Luckily, I don't have anything important on there.
I did notice that my security group on AWS is basically open to all. For example, my inbound rules:
Port 80, tcp, 0.0.0.0/0
Port 8080, tcp, 0.0.0.0/0
Port all, tcp, 0.0.0.0/0
Port 22, tcp, 0.0.0.0/0
Port 27017, tcp, 0.0.0.0/0
Port 443, tcp, 0.0.0.0/0
If i change the source is there a convention I should follow? How should I set the source? I am new to this as I did not set up my security groups. Just trying to figure out how I can keep out the hackers. They have been going at it for a while now.
The0.0.0.0/0 means that the port allows connection from anywhere on the internet.
If you set the source, only the source (whether it's an IP or a range of ups) will be able to access the port.
How are you going to set the source really depends on your needs.
your data source should ideally allow access only from trusted internal IPs. remove full access of all tcp ports. only keep 27017 and map it to the IP address which is accessing your system. For web access, it's best to configure a reverse proxy and access it via that proxy.
If you are the only one accessing the EC2 instance, you can edit your security group and choose "My IP" as the Source, and then only you would be able to access it and the hackers will not.
It is best practice to limit command and control ports (22, 3389, etc) to only be accessible from known networks, such as your home, VPN IP pool, or corporate network.
I am attempting to set up an apache2 web server on my raspberry pi. I am able to connect to it by doing http://localhost:8080 (8080 because my router blocks port 80). Although when I do http://my.pub.lic.ip:8080 the connection times out. I set up port forwarding so that requests going to my router on port 8080 go to my raspberry pi on port 8080. This does not seem to work but I'm also not sure if the port forwarding is the cause or if it is something else. Any suggestions?
Is your web server configured to listen on the network interface besides localhost?
https://httpd.apache.org/docs/2.4/bind.html
For example, to make the server accept connections on both port 80 and port 8000, on all interfaces, use:
Listen 80
Listen 8000
To make the server accept connections on port 80 for one interface, and port 8000 on another, use
Listen 192.0.2.1:80
Listen 192.0.2.5:8000
You can try using nmap by finding your router's public IP and on the raspberry pi type nmap my.pub.lic.ip This will show you what services are actually being published to the world. This gives more insight to the problem.
I got the web server up and running although for some reason it appears that my isp would only allow it to be hosted securely (as an https page)(I'm not sure if that's the right way to phrase it). To achieve this for free, I used cloudflare's ssl service. A tutorial to set it up for apache2 can be found here
Is it possible to use port 80 for non http traffic ? For example I'm making a small script that will communicate with a friends computer through the internet, however they must port forward it to get past the router. Is there a problem with using port 80 in the script so it will be let through automatically ? Is there some part of this i don't understand that will not let non http data through ? Please explain :)
there is no problem doing that. in fact, skype's default behaviour is to use port 80 and port 443 to transport voice!
There are a lot of ISPs that actually block port 80, so you might want to try a different port if you are having a problem (still needs to be forwarded)
The firewall on the computer also needs to be set to allow the incoming traffic.
This will work fine, but your friend may still need to setup port forwarding
If your friend's PC is the one listening on Port 80, he will need to setup port forwarding. Otherwise, how would the router/NAT know which computer in the house to bridge the connection to?
But if your friend's PC is the one making the outbound connection, then likely no port forwarding is needed at all on his end.
In other words, port forwarding (for TCP) is only for inbound connections. The router/NAT will automatically setup a port mapping scheme for outbound connections (as it does it with all web traffic).
I need to get the original endpoint configurations from the .csdef file, how can I do it?
I cannot use RoleEnvironment.CurrentRoleInstance.InstanceEndpoints, because it gives me the internal/local port in the virtual IP. But I need to know which is the port is being shown to the public.
For example I have a FTP server with a tcp 21 end point, but when I check at runrime to that collection it can has something like tcp 5100. When I bind the FTP server to tcp 5100 and access the server through, for example, 127.0.0.1:21 it works perfectly.
But for example, when I need to establish the PASV mode, I have to send back the IP and port where the client should connect. I'll work out the IP, but how could I know the port that has been configured for PASV? the port in the previous collection is not ensured to be the same that is exposed in the public interface.
So basically, how may I get the original .csdef configuration?
Cheers.
I'm not sure if this works with FTP but when using HTTP, it will returned the inner address and port if using HttpContext.Requst.Url. I was using Header["Host"] instead. Hope this helps.