• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Apache Server Directly Public Accessable Via Ports 7080 & 7081

R

Rho-Man

New Pleskian
Hi,
I realize that Nginx passes requests to Apache via ports 7080 and 7081, however why are these ports publicly accessible? Would this still work if I write the firewall rules (for these ports):
Allow incoming from 127.0.0.1
Deny incoming from all others

I am looking for a way to ensure all requests are via Nginx. Also, this is for a production server so I don't want to cause downtime by trying without asking the experts first.

Thanks.
 
It should work since from I see all traffic is passed to Apache through 127.0.0.1. Eg:

Code: 
location / {
[...]
        proxy_pass https://127.0.0.1:7081;
[...]
    }
 
Thanks.

Actually, my host .conf's read,

server {
listen 50.23.xxx.xxx:80;

...

location / { # IPv6 isn't supported in proxy_pass yet.
proxy_pass http://50.23.xxx.xxx:7080;

...

and similar for listen on port 443 with proxy pass to host ip on port 7081.

Where is the .conf stating it's passed to 127.0.0.1?

Thanks.
 
In that case filtering 7080 or 7081 would kill your sites from functioning. Unless if you change it from the IP to 127.0.0.1
 
Thanks.

That's way I didn't want to try without more assurance (I don't fully see the IP relationships). Nevertheless, my understanding is that proxy_pass directive sets the address of the proxied server, not the IP from which the request is made. I thought the request from Nginx comes from localhost - 127.0.0.1? Isn't this similar to Apache requests on MySQL coming from 127.0.0.1? After-all, Nginx and Apache are on the same server.

Thanks.
 
Thanks for your help Abdi,

I worked out how to write the firewall rule to do this for a server with hosts on dedicated IP's. The Nginx proxy_pass works very much like Apache's mod_proxy. The request IP is the proxy_pass IP. Therefore, the firewall rule becomes:

Allow incoming from 127.0.0.1
Allow incoming from 50.23.xxx.xxx/20 ## i.e. the host CIDR list of IP's
Deny incoming from all others

127.0.0.1 is probably not needed, but I put it in anyway (just in case).

I applied these rules to the firewall, and it works perfectly! Apache is no longer accessible from public IP's via ports 7080 & 7081. Thus, public http access is only via port 80, and https via port 443 ... via Nginx.
 
You must log in or register to reply here.

Similar threads

Mario Chamorro
Input Webmail 502 Bad Gateway
Replies
0
Views
2K
Mario Chamorro
Mario Chamorro
T
Resolved nginx/apache proxy issue on all domains and webmail / ubuntu 22.04 on arm / external ip instead of localhost
Replies
9
Views
2K
propz
propz
Daveo
Question Cloudflare/Plesk with home server
Replies
2
Views
278
Daveo
Daveo
J
Issue apache2 proxy target - wrong ip-address
Replies
5
Views
5K
cmaxwell
C
majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
684
Raul A.
R
Back
Top