How to return 444 for only specific HTTP and HTTPS sites
Posted by TheConsumer
|
How to return 444 for only specific HTTP and HTTPS sites May 04, 2010 11:03PM |
Registered: 14 years ago Posts: 6 |
What I would like to achieve:
Access to ONLY servers defined, all others receive a 444.
What I am getting instead:
Desired behavior with port 80 traffic, port 443, not so much.
Is it possible, upon the socket being established, to return a RST _before_ the cert exchange? Perhaps upon the Client Hello? I've tried to achieve this with IPTables and string matches, but not all browsers send the $host in the Client Hello.
I've tried defining the 'wildcard' SSL server with the 'ssl off' parameter and no certs, which generates the desired RST, but doesn't allow access to the SSL site that I _want_ clients to access, https://dom4.net, it too gets an ACK/RST after the Hello.
[code]
server {
server_name _;
listen 80;
return 444;
}
server {
listen 80;
server_name dom1.org www.dom1.org sub1.dom1.org dom2.com *.dom2.com dom3.org *.dom3.org;
location / {
access_log /var/log/nginx/access.global.log;
proxy_pass http://1.2.3.4:80;
proxy_buffering on;
proxy_cache my-cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 1s;
}
}
server {
server_name _;
listen 443;
ssl on;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.pem;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
return 444;
}
server {
listen 443 ssl;
server_name dom4.net;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.pem;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
location / {
access_log /var/log/nginx/access.soni.ssl.log;
proxy_pass http://1.2.3.4:1234;
proxy_buffering on;
proxy_cache my-cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass_header Host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
[/code]
I posted a similar request here: http://forum.nginx.org/read.php?11,79112 -- But never received a response. I am hoping to achieve the above instead because it seems somehow more do-able.
Access to ONLY servers defined, all others receive a 444.
What I am getting instead:
Desired behavior with port 80 traffic, port 443, not so much.
Is it possible, upon the socket being established, to return a RST _before_ the cert exchange? Perhaps upon the Client Hello? I've tried to achieve this with IPTables and string matches, but not all browsers send the $host in the Client Hello.
I've tried defining the 'wildcard' SSL server with the 'ssl off' parameter and no certs, which generates the desired RST, but doesn't allow access to the SSL site that I _want_ clients to access, https://dom4.net, it too gets an ACK/RST after the Hello.
[code]
server {
server_name _;
listen 80;
return 444;
}
server {
listen 80;
server_name dom1.org www.dom1.org sub1.dom1.org dom2.com *.dom2.com dom3.org *.dom3.org;
location / {
access_log /var/log/nginx/access.global.log;
proxy_pass http://1.2.3.4:80;
proxy_buffering on;
proxy_cache my-cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 1s;
}
}
server {
server_name _;
listen 443;
ssl on;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.pem;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
return 444;
}
server {
listen 443 ssl;
server_name dom4.net;
ssl_certificate /etc/nginx/mycert.crt;
ssl_certificate_key /etc/nginx/mycert.pem;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
location / {
access_log /var/log/nginx/access.soni.ssl.log;
proxy_pass http://1.2.3.4:1234;
proxy_buffering on;
proxy_cache my-cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass_header Host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
[/code]
I posted a similar request here: http://forum.nginx.org/read.php?11,79112 -- But never received a response. I am hoping to achieve the above instead because it seems somehow more do-able.
|
Re: How to return 444 for only specific HTTP and HTTPS sites July 07, 2010 04:43PM |
Registered: 14 years ago Posts: 6 |
|
Re: How to return 444 for only specific HTTP and HTTPS sites October 18, 2010 01:30PM |
Registered: 14 years ago Posts: 6 |
|
Re: How to return 444 for only specific HTTP and HTTPS sites January 11, 2011 12:56PM |
Registered: 14 years ago Posts: 6 |
For anyone who is interested, I achieved this with iptables and a forced RST when the wrong subdomain is specified:
[code]
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,PSH,ACK PSH,ACK --dport [Listener Port] -m connbytes --connbytes 3:3 --connbytes-dir original --connbytes-mode packets -m string --algo bm ! --string "[FQDN of vhost]" -j REJECT --reject-with tcp-reset
iptables -A INPUT -i eth0 -p tcp --dport [Listener Port] -j ACCEPT
[/code]
[code]
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,PSH,ACK PSH,ACK --dport [Listener Port] -m connbytes --connbytes 3:3 --connbytes-dir original --connbytes-mode packets -m string --algo bm ! --string "[FQDN of vhost]" -j REJECT --reject-with tcp-reset
iptables -A INPUT -i eth0 -p tcp --dport [Listener Port] -j ACCEPT
[/code]
|
Re: How to return 444 for only specific HTTP and HTTPS sites January 11, 2011 05:12PM |
Registered: 14 years ago Posts: 6 |
Sorry, only registered users may post in this forum.
Online Users
Guests:
131
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|